diff --git a/src/apps.js b/src/apps.js
index 1279542a5..700463346 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -534,8 +534,10 @@ function install(data, auditSource, callback) {
             error = validateHostname(location, domain, intrinsicFqdn);
             if (error) return callback(error);
 
-            error = certificates.validateCertificate(cert, key, intrinsicFqdn);
-            if (error) return callback(new AppsError(AppsError.BAD_CERTIFICATE, error.message));
+            if (cert && key) {
+                error = certificates.validateCertificate(cert, key, intrinsicFqdn);
+                if (error) return callback(new AppsError(AppsError.BAD_CERTIFICATE, error.message));
+            }
 
             debug('Will install app with id : ' + appId);
 
diff --git a/src/certificates.js b/src/certificates.js
index 9c5abe279..0e3663f29 100644
--- a/src/certificates.js
+++ b/src/certificates.js
@@ -3,6 +3,9 @@
 exports = module.exports = {
     CertificatesError: CertificatesError,
 
+    initialize: initialize,
+    uninitialize: uninitialize,
+
     ensureFallbackCertificate: ensureFallbackCertificate,
     setFallbackCertificate: setFallbackCertificate,
     getFallbackCertificate: getFallbackCertificate,
@@ -15,9 +18,6 @@ exports = module.exports = {
 
     renewAll: renewAll,
 
-    initialize: initialize,
-    uninitialize: uninitialize,
-
     events: null,
 
     EVENT_CERT_CHANGED: 'cert_changed',
@@ -114,6 +114,8 @@ function getApi(app, callback) {
     });
 }
 
+// We configure nginx to always use the fallback cert from the runtime directory (NGINX_CERT_DIR)
+// This is done because Caas wildcard certs should not be part of the backup
 function ensureFallbackCertificate(callback) {
     // ensure a fallback certificate that much of our code requires
     var certFilePath = path.join(paths.APP_CERTS_DIR, 'host.cert');
@@ -260,9 +262,9 @@ function renewAll(auditSource, callback) {
 // note: https://tools.ietf.org/html/rfc4346#section-7.4.2 (certificate_list) requires that the
 // servers certificate appears first (and not the intermediate cert)
 function validateCertificate(cert, key, domain) {
-    assert(cert === null || typeof cert === 'string');
-    assert(key === null || typeof key === 'string');
     assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof cert, 'string');
+    assert.strictEqual(typeof key, 'string');
 
     function matchesDomain(candidate) {
         if (typeof candidate !== 'string') return false;
@@ -272,7 +274,7 @@ function validateCertificate(cert, key, domain) {
         return false;
     }
 
-    if (cert === null && key === null) return null;
+    // check for empty cert and key strings
     if (!cert && key) return new Error('missing cert');
     if (cert && !key) return new Error('missing key');
 
diff --git a/src/test/certificates-test.js b/src/test/certificates-test.js
index fcc56a4a0..07fbdfd3a 100644
--- a/src/test/certificates-test.js
+++ b/src/test/certificates-test.js
@@ -49,18 +49,6 @@ describe('Certificates', function () {
         var validCert2 = '-----BEGIN CERTIFICATE-----\nMIIBwjCCAWwCCQCZjm6jL50XfTANBgkqhkiG9w0BAQsFADBoMQswCQYDVQQGEwJE\nRTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEDAOBgNVBAoMB05l\nYnVsb24xDDAKBgNVBAsMA0NUTzEXMBUGA1UEAwwOYmF6LmZvb2Jhci5jb20wHhcN\nMTYxMTA4MDgyMDE1WhcNMjAxMTA3MDgyMDE1WjBoMQswCQYDVQQGEwJERTEPMA0G\nA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEDAOBgNVBAoMB05lYnVsb24x\nDDAKBgNVBAsMA0NUTzEXMBUGA1UEAwwOYmF6LmZvb2Jhci5jb20wXDANBgkqhkiG\n9w0BAQEFAANLADBIAkEAtKoyTPrf2DjKbnW7Xr1HbRvV+quHTcGmUq5anDI7G4w/\nabqDXGYyakHHlPyZxYp7FWQxCm83rHUuDT1LiLIBZQIDAQABMA0GCSqGSIb3DQEB\nCwUAA0EAVaD2Q6bF9hcUUBev5NyjaMdDYURuWfjuwWUkb8W50O2ed3O+MATKrDdS\nyVaBy8W02KJ4Y1ym4je/MF8nilPurA==\n-----END CERTIFICATE-----';
         var validKey2 = '-----BEGIN RSA PRIVATE KEY-----\nMIIBPQIBAAJBALSqMkz639g4ym51u169R20b1fqrh03BplKuWpwyOxuMP2m6g1xm\nMmpBx5T8mcWKexVkMQpvN6x1Lg09S4iyAWUCAwEAAQJBAJXu7YHPbjfuoalcUZzF\nbuKRCFtZQRf5z0Os6QvZ8A3iR0SzYJzx+c2ibp7WdifMXp3XaKm4tHSOfumrjUIq\nt10CIQDrs9Xo7bq0zuNjUV5IshNfaiYKZRfQciRVW2O8xBP9VwIhAMQ5CCEDZy+u\nsaF9RtmB0bjbe6XonBlAzoflfH/MAwWjAiEA50hL+ohr0MfCMM7DKaozgEj0kvan\n645VQLywnaX5x3kCIQDCwjinS9FnKmV0e/uOd6PJb0/S5IXLKt/TUpu33K5DMQIh\nAM9peu3B5t9pO59MmeUGZwI+bEJfEb+h03WTptBxS3pO\n-----END RSA PRIVATE KEY-----';
 
-        it('allows both null', function () {
-            expect(certificates.validateCertificate(null, null, 'foobar.com')).to.be(null);
-        });
-
-        it('does not allow only cert', function () {
-            expect(certificates.validateCertificate('cert', null, 'foobar.com')).to.be.an(Error);
-        });
-
-        it('does not allow only key', function () {
-            expect(certificates.validateCertificate(null, 'key', 'foobar.com')).to.be.an(Error);
-        });
-
         it('does not allow empty string for cert', function () {
             expect(certificates.validateCertificate('', 'key', 'foobar.com')).to.be.an(Error);
         });