diff --git a/src/eventlog.js b/src/eventlog.js
index ef77217a9..bed386b76 100644
--- a/src/eventlog.js
+++ b/src/eventlog.js
@@ -23,6 +23,7 @@ exports = module.exports = {
     ACTION_BACKUP_START: 'backup.start',
     ACTION_BACKUP_CLEANUP: 'backup.cleanup',
 
+    ACTION_CERTIFICATE_NEW: 'certificate.new',
     ACTION_CERTIFICATE_RENEWAL: 'certificate.renew',
 
     ACTION_DOMAIN_ADD: 'domain.add',
diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index d21cacbad..bd084e216 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -330,12 +330,12 @@ function ensureCertificate(vhost, domain, auditSource, callback) {
         getCertApi(domainObject, function (error, api, apiOptions) {
             if (error) return callback(error);
 
-            getCertificateByHostname(vhost, domainObject, function (error, result) {
-                if (result) {
-                    debug(`ensureCertificate: ${vhost} certificate already exists at ${result.keyFilePath}`);
+            getCertificateByHostname(vhost, domainObject, function (error, currentBundle) {
+                if (currentBundle) {
+                    debug(`ensureCertificate: ${vhost} certificate already exists at ${currentBundle.keyFilePath}`);
 
-                    if (result.certFilePath.endsWith('.user.cert')) return callback(null, result); // user certs cannot be renewed
-                    if (!isExpiringSync(result.certFilePath, 24 * 30) && providerMatchesSync(domainObject, result.certFilePath, apiOptions)) return callback(null, result);
+                    if (currentBundle.certFilePath.endsWith('.user.cert')) return callback(null, currentBundle); // user certs cannot be renewed
+                    if (!isExpiringSync(currentBundle.certFilePath, 24 * 30) && providerMatchesSync(domainObject, currentBundle.certFilePath, apiOptions)) return callback(null, currentBundle);
                     debug(`ensureCertificate: ${vhost} cert require renewal`);
                 } else {
                     debug(`ensureCertificate: ${vhost} cert does not exist`);
@@ -351,7 +351,7 @@ function ensureCertificate(vhost, domain, auditSource, callback) {
                         mailer.certificateRenewalError(vhost, errorMessage);
                     }
 
-                    eventlog.add(eventlog.ACTION_CERTIFICATE_RENEWAL, auditSource, { domain: vhost, errorMessage: errorMessage });
+                    eventlog.add(currentBundle ? eventlog.ACTION_CERTIFICATE_RENEWAL : eventlog.ACTION_CERTIFICATE_NEW, auditSource, { domain: vhost, errorMessage: errorMessage });
 
                     // if no cert was returned use fallback. the fallback/caas provider will not provide any for example
                     if (!certFilePath || !keyFilePath) return getFallbackCertificate(domain, callback);