diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index 22f44c754..5e1c583e4 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -1,7 +1,6 @@
 'use strict';
 
 exports = module.exports = {
-    setAppCertificate,
     setFallbackCertificate,
 
     generateFallbackCertificate,
@@ -246,7 +245,7 @@ function getFallbackCertificatePathSync(domain) {
     return { certFilePath, keyFilePath };
 }
 
-function getAppCertificatePathSync(fqdn) {
+function getUserCertificatePathSync(fqdn) {
     assert.strictEqual(typeof fqdn, 'string');
 
     const certFilePath = path.join(paths.NGINX_CERT_DIR, `${fqdn}.user.cert`);
@@ -276,25 +275,6 @@ function getAcmeCertificatePathSync(fqdn, domainObject) {
     return { certName, certFilePath, keyFilePath, csrFilePath, acmeChallengesDir };
 }
 
-async function setAppCertificate(subdomain, domainObject, certificate) {
-    assert.strictEqual(typeof subdomain, 'string');
-    assert.strictEqual(typeof domainObject, 'object');
-    assert.strictEqual(typeof certificate, 'object');
-
-    const fqdn = dns.fqdn(subdomain, domainObject);
-    const { certFilePath, keyFilePath } = getAppCertificatePathSync(fqdn);
-
-    if (certificate !== null) {
-        if (!safe.fs.writeFileSync(certFilePath, certificate.cert)) throw safe.error;
-        if (!safe.fs.writeFileSync(keyFilePath, certificate.key)) throw safe.error;
-    } else { // remove existing cert/key
-        if (!safe.fs.unlinkSync(certFilePath)) debug(`Error removing cert: ${safe.error.message}`);
-        if (!safe.fs.unlinkSync(keyFilePath)) debug(`Error removing key: ${safe.error.message}`);
-    }
-
-    await reload();
-}
-
 async function getCertificatePath(fqdn, domain) {
     assert.strictEqual(typeof fqdn, 'string');
     assert.strictEqual(typeof domain, 'string');
@@ -305,7 +285,7 @@ async function getCertificatePath(fqdn, domain) {
 
     const domainObject = await domains.get(domain);
 
-    const bundlePath = getAppCertificatePathSync(fqdn); // user cert always wins
+    const bundlePath = getUserCertificatePathSync(fqdn); // user cert always wins
     if (fs.existsSync(bundlePath.certFilePath) && fs.existsSync(bundlePath.keyFilePath)) return bundlePath;
 
     if (domainObject.tlsConfig.provider === 'fallback') return getFallbackCertificatePathSync(domain);
@@ -324,7 +304,7 @@ async function checkAppCertificate(fqdn, domainObject) {
     const bundle = await apps.getCertificate(subdomain, domainObject.domain);
     if (!bundle) return null;
 
-    const { certFilePath, keyFilePath } = getAppCertificatePathSync(fqdn);
+    const { certFilePath, keyFilePath } = getUserCertificatePathSync(fqdn);
 
     if (!safe.fs.writeFileSync(certFilePath, bundle.cert)) throw new BoxError(BoxError.FS_ERROR, `Failed to write certificate: ${safe.error.message}`);
     if (!safe.fs.writeFileSync(keyFilePath, bundle.key)) throw new BoxError(BoxError.FS_ERROR, `Failed to write key: ${safe.error.message}`);
@@ -554,12 +534,21 @@ async function writeAppNginxConfig(app, fqdn, type, bundlePath) {
 async function writeAppConfigs(app) {
     assert.strictEqual(typeof app, 'object');
 
-    const appDomains = [{ domain: app.domain, fqdn: app.fqdn, type: apps.LOCATION_TYPE_PRIMARY }]
-        .concat(app.secondaryDomains.map(sd => { return { domain: sd.domain, fqdn: sd.fqdn, type: apps.LOCATION_TYPE_SECONDARY }; }))
-        .concat(app.redirectDomains.map(rd => { return { domain: rd.domain, fqdn: rd.fqdn, type: apps.LOCATION_TYPE_REDIRECT }; }))
-        .concat(app.aliasDomains.map(ad => { return { domain: ad.domain, fqdn: ad.fqdn, type: apps.LOCATION_TYPE_ALIAS }; }));
+    const appDomains = [{ domain: app.domain, fqdn: app.fqdn, certificate: app.certificate, type: apps.LOCATION_TYPE_PRIMARY }]
+        .concat(app.secondaryDomains.map(sd => { return { domain: sd.domain, certificate: sd.certificate, fqdn: sd.fqdn, type: apps.LOCATION_TYPE_SECONDARY }; }))
+        .concat(app.redirectDomains.map(rd => { return { domain: rd.domain, certificate: rd.certificate, fqdn: rd.fqdn, type: apps.LOCATION_TYPE_REDIRECT }; }))
+        .concat(app.aliasDomains.map(ad => { return { domain: ad.domain, certificate: ad.certificate, fqdn: ad.fqdn, type: apps.LOCATION_TYPE_ALIAS }; }));
 
     for (const appDomain of appDomains) {
+        const { certFilePath, keyFilePath } = getUserCertificatePathSync(appDomain.fqdn);
+        if (appDomain.certificate !== null) {
+            if (!safe.fs.writeFileSync(certFilePath, appDomain.certificate.cert)) throw safe.error;
+            if (!safe.fs.writeFileSync(keyFilePath, appDomain.certificate.key)) throw safe.error;
+        } else { // remove existing cert/key
+            if (!safe.fs.unlinkSync(certFilePath)) debug(`Error removing cert: ${safe.error.message}`);
+            if (!safe.fs.unlinkSync(keyFilePath)) debug(`Error removing key: ${safe.error.message}`);
+        }
+
         const bundle = await getCertificatePath(appDomain.fqdn, appDomain.domain);
         await writeAppNginxConfig(app, appDomain.fqdn, appDomain.type, bundle);
     }