diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index 6eed27b82..3c286fa99 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -190,9 +190,13 @@ function setFallbackCertificate(domain, fallback, callback) {
     const keyFilePath = path.join(paths.APP_CERTS_DIR, `${domain}.host.key`);
 
     if (fallback) {
-        // backup the cert
-        if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, `${domain}.host.cert`), fallback.cert)) return callback(new ReverseProxyError(ReverseProxyError.INTERNAL_ERROR, safe.error.message));
-        if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, `${domain}.host.key`), fallback.key)) return callback(new ReverseProxyError(ReverseProxyError.INTERNAL_ERROR, safe.error.message));
+        if (fallback.restricted) { // restricted certs are not backed up
+            if (!safe.fs.writeFileSync(path.join(paths.NGINX_CERT_DIR, `${domain}.host.cert`), fallback.cert)) return callback(new ReverseProxyError(ReverseProxyError.INTERNAL_ERROR, safe.error.message));
+            if (!safe.fs.writeFileSync(path.join(paths.NGINX_CERT_DIR, `${domain}.host.key`), fallback.key)) return callback(new ReverseProxyError(ReverseProxyError.INTERNAL_ERROR, safe.error.message));
+        } else {
+            if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, `${domain}.host.cert`), fallback.cert)) return callback(new ReverseProxyError(ReverseProxyError.INTERNAL_ERROR, safe.error.message));
+            if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, `${domain}.host.key`), fallback.key)) return callback(new ReverseProxyError(ReverseProxyError.INTERNAL_ERROR, safe.error.message));
+        }
     } else if (!fs.existsSync(certFilePath) || !fs.existsSync(keyFilePath)) { // generate it
         let opensslConf = safe.fs.readFileSync('/etc/ssl/openssl.cnf', 'utf8');
         // SAN must contain all the domains since CN check is based on implementation if SAN is found. -checkhost also checks only SAN if present!
diff --git a/src/routes/domains.js b/src/routes/domains.js
index 38ee62eb1..c3b255066 100644
--- a/src/routes/domains.js
+++ b/src/routes/domains.js
@@ -43,8 +43,11 @@ function add(req, res, next) {
 
     if ('zoneName' in req.body && typeof req.body.zoneName !== 'string') return next(new HttpError(400, 'zoneName must be a string'));
     if ('fallbackCertificate' in req.body && typeof req.body.fallbackCertificate !== 'object') return next(new HttpError(400, 'fallbackCertificate must be a object with cert and key strings'));
-    if (req.body.fallbackCertificate && (!req.body.cert || typeof req.body.cert !== 'string')) return next(new HttpError(400, 'fallbackCertificate.cert must be a string'));
-    if (req.body.fallbackCertificate && (!req.body.key || typeof req.body.key !== 'string')) return next(new HttpError(400, 'fallbackCertificate.key must be a string'));
+    if (req.body.fallbackCertificate) {
+        if (!req.body.cert || typeof req.body.cert !== 'string') return next(new HttpError(400, 'fallbackCertificate.cert must be a string'));
+        if (!req.body.key || typeof req.body.key !== 'string') return next(new HttpError(400, 'fallbackCertificate.key must be a string'));
+        if ('restricted' in req.body && typeof req.body.fallbackCertificate.restricted !== 'boolean') return next(new HttpError(400, 'fallbackCertificate.restricted must be a boolean'));
+    }
 
     if ('tlsConfig' in req.body) {
         if (!req.body.tlsConfig || typeof req.body.tlsConfig !== 'object') return next(new HttpError(400, 'tlsConfig must be a object with a provider string property'));
diff --git a/src/setup.js b/src/setup.js
index fef407a1d..9900330b8 100644
--- a/src/setup.js
+++ b/src/setup.js
@@ -23,7 +23,6 @@ var assert = require('assert'),
     domains = require('./domains.js'),
     DomainsError = domains.DomainsError,
     eventlog = require('./eventlog.js'),
-    fs = require('fs'),
     mail = require('./mail.js'),
     path = require('path'),
     paths = require('./paths.js'),
@@ -95,12 +94,6 @@ function autoprovision(callback) {
         case 'appstoreConfig': name = settings.APPSTORE_CONFIG_KEY; break;
         case 'caasConfig': name = settings.CAAS_CONFIG_KEY; break;
         case 'backupConfig': name = settings.BACKUP_CONFIG_KEY; break;
-        case 'tlsCert':
-            debug(`autoprovision: ${key}`);
-            return fs.writeFile(path.join(paths.NGINX_CERT_DIR, config.adminDomain() + '.host.cert'), conf[key], iteratorDone);
-        case 'tlsKey':
-            debug(`autoprovision: ${key}`);
-            return fs.writeFile(path.join(paths.NGINX_CERT_DIR, config.adminDomain() + '.host.key'), conf[key], iteratorDone);
         default:
             debug(`autoprovision: ${key} ignored`);
             return iteratorDone();
@@ -194,7 +187,7 @@ function provision(dnsConfig, callback) {
         if (result) return callback(new SetupError(SetupError.BAD_STATE, 'Domain already exists'));
 
         async.series([
-            domains.add.bind(null, domain, zoneName, dnsConfig.provider, dnsConfig.config, null /* cert */, dnsConfig.tlsConfig || { provider: 'letsencrypt-prod' }),
+            domains.add.bind(null, domain, zoneName, dnsConfig.provider, dnsConfig.config, dnsConfig.fallbackCertificate, dnsConfig.tlsConfig || { provider: 'letsencrypt-prod' }),
             mail.addDomain.bind(null, domain)
         ], done);
     });