diff --git a/src/certificatemanager.js b/src/certificatemanager.js
new file mode 100644
index 000000000..679e60066
--- /dev/null
+++ b/src/certificatemanager.js
@@ -0,0 +1,37 @@
+/* jslint node:true */
+
+'use strict';
+
+var acme = require('./cert/acme.js'),
+    assert = require('assert'),
+    async = require('async'),
+    config = require('./config.js'),
+    debug = require('debug')('src/certificatemanager'),
+    paths = require('./paths.js'),
+    sysinfo = require('./sysinfo.js');
+
+exports = module.exports = {
+    initialize: initialize,
+    uninitialize: uninitialize,
+    autoRenew: autoRenew
+};
+
+function initialize(callback) {
+    if (!config.isCustomDomain()) return callback();
+
+    callback();
+    // TODO: check if dns is in sync first!
+
+    // acme.getCertificate(config.adminFqdn(), paths.APP_CERTS_DIR, function (error) {
+        // copy to nginx cert dir
+        // reload nginx
+    // });
+}
+
+function uninitialize(callback) {
+    callback();
+}
+
+function autoRenew() {
+    debug('will automatically renew certs');
+}
diff --git a/src/cron.js b/src/cron.js
index e1228b9c6..92d757999 100644
--- a/src/cron.js
+++ b/src/cron.js
@@ -7,6 +7,7 @@ exports = module.exports = {
 
 var apps = require('./apps.js'),
     assert = require('assert'),
+    certificateManager = require('./certificatemanager.js'),
     cloudron = require('./cloudron.js'),
     config = require('./config.js'),
     CronJob = require('cron').CronJob,
@@ -23,7 +24,8 @@ var gAutoupdaterJob = null,
     gBackupJob = null,
     gCleanupTokensJob = null,
     gDockerVolumeCleanerJob = null,
-    gSchedulerSyncJob = null;
+    gSchedulerSyncJob = null,
+    gCertificateRenewJob = null;
 
 var NOOP_CALLBACK = function (error) { if (error) console.error(error); };
 
@@ -107,6 +109,14 @@ function recreateJobs(unusedTimeZone, callback) {
             timeZone: allSettings[settings.TIME_ZONE_KEY]
         });
 
+        if (gCertificateRenewJob) gCertificateRenewJob.stop();
+        gCertificateRenewJob = new CronJob({
+            cronTime: '00 00 */12 * * *', // every 12 hours
+            onTick: certificateManager.autoRenew,
+            start: true,
+            timeZone: allSettings[settings.TIME_ZONE_KEY]
+        });
+
         settings.events.removeListener(settings.AUTOUPDATE_PATTERN_KEY, autoupdatePatternChanged);
         settings.events.on(settings.AUTOUPDATE_PATTERN_KEY, autoupdatePatternChanged);
         autoupdatePatternChanged(allSettings[settings.AUTOUPDATE_PATTERN_KEY]);
@@ -179,5 +189,8 @@ function uninitialize(callback) {
     if (gSchedulerSyncJob) gSchedulerSyncJob.stop();
     gSchedulerSyncJob = null;
 
+    if (gCertificateRenewJob) gCertificateRenewJob.stop();
+    gCertificateRenewJob = null;
+
     callback();
 }
diff --git a/src/server.js b/src/server.js
index 124d06b11..44f166f69 100644
--- a/src/server.js
+++ b/src/server.js
@@ -10,6 +10,7 @@ exports = module.exports = {
 var assert = require('assert'),
     async = require('async'),
     auth = require('./auth.js'),
+    certificateManager = require('./certificatemanager.js'),
     cloudron = require('./cloudron.js'),
     cron = require('./cron.js'),
     config = require('./config.js'),
@@ -234,6 +235,7 @@ function start(callback) {
     async.series([
         auth.initialize,
         database.initialize,
+        certificateManager.initialize,
         cloudron.initialize, // keep this here because it reads activation state that others depend on
         taskmanager.initialize,
         mailer.initialize,
@@ -254,6 +256,7 @@ function stop(callback) {
         taskmanager.uninitialize,
         cron.uninitialize,
         mailer.uninitialize,
+        certificateManager.initialize,
         database.uninitialize,
         gHttpServer.close.bind(gHttpServer),
         gInternalHttpServer.close.bind(gInternalHttpServer)