diff --git a/src/apps.js b/src/apps.js
index d524ab325..5103e146d 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -1779,12 +1779,12 @@ async function setCertificate(app, data, auditSource) {
         if (error) throw error;
     }
 
-    const certificateJson = cert && key ? JSON.stringify({ cert, key }) : null;
-    const result = await database.query('UPDATE locations SET certificateJson=? WHERE location=? AND domain=?', [ certificateJson, subdomain, domain ]);
+    const certificate = cert && key ? { cert, key } : null;
+    const result = await database.query('UPDATE locations SET certificateJson=? WHERE location=? AND domain=?', [ certificate ? JSON.stringify(certificate) : null, subdomain, domain ]);
     if (result.affectedRows === 0) throw new BoxError(BoxError.NOT_FOUND, 'Location not found');
 
     app = await get(app.id); // refresh app object
-    await reverseProxy.writeAppConfigs(app);
+    await reverseProxy.setUserCertificate(app, dns.fqdn(subdomain, domainObject), certificate);
     await eventlog.add(eventlog.ACTION_APP_CONFIGURE, auditSource, { appId: app.id, app, subdomain, domain, cert });
 }
 
diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index d39b390ca..3e4423d36 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -1,13 +1,14 @@
 'use strict';
 
 exports = module.exports = {
-    setFallbackCertificate,
+    setUserCertificate, // per location certificate
+    setFallbackCertificate, // per domain certificate
 
     generateFallbackCertificate,
 
     validateCertificate,
 
-    getCertificatePath,
+    getCertificatePath, // resolved cert path
     ensureCertificate,
 
     checkCerts,
@@ -540,20 +541,25 @@ async function writeAppConfigs(app) {
         .concat(app.aliasDomains.map(ad => { return { domain: ad.domain, certificate: ad.certificate, fqdn: ad.fqdn, type: apps.LOCATION_TYPE_ALIAS }; }));
 
     for (const appDomain of appDomains) {
-        const { certFilePath, keyFilePath } = getUserCertificatePathSync(appDomain.fqdn);
-        if (appDomain.certificate !== null) {
-            if (!safe.fs.writeFileSync(certFilePath, appDomain.certificate.cert)) throw safe.error;
-            if (!safe.fs.writeFileSync(keyFilePath, appDomain.certificate.key)) throw safe.error;
-        } else { // remove existing cert/key
-            if (!safe.fs.unlinkSync(certFilePath)) debug(`Error removing cert: ${safe.error.message}`);
-            if (!safe.fs.unlinkSync(keyFilePath)) debug(`Error removing key: ${safe.error.message}`);
-        }
-
         const certificatePath = await getCertificatePath(appDomain.fqdn, appDomain.domain);
         await writeAppNginxConfig(app, appDomain.fqdn, appDomain.type, certificatePath);
     }
 }
 
+async function setUserCertificate(app, fqdn, certificate) {
+    const { certFilePath, keyFilePath } = getUserCertificatePathSync(fqdn);
+
+    if (certificate !== null) {
+        if (!safe.fs.writeFileSync(certFilePath, certificate.cert)) throw safe.error;
+        if (!safe.fs.writeFileSync(keyFilePath, certificate.key)) throw safe.error;
+    } else { // remove existing cert/key
+        if (!safe.fs.unlinkSync(certFilePath)) debug(`Error removing cert: ${safe.error.message}`);
+        if (!safe.fs.unlinkSync(keyFilePath)) debug(`Error removing key: ${safe.error.message}`);
+    }
+
+    await writeAppConfigs(app);
+}
+
 async function configureApp(app, auditSource) {
     assert.strictEqual(typeof app, 'object');
     assert.strictEqual(typeof auditSource, 'object');