diff --git a/control.go b/control.go
index 344cd6af..4ce261ca 100644
--- a/control.go
+++ b/control.go
@@ -1034,6 +1034,14 @@ func handleInstallConfigure(w http.ResponseWriter, r *http.Request) {
 // ---
 func handleTLSStatus(w http.ResponseWriter, r *http.Request) {
 	data := config.TLS
+	if data.CertificateChain != "" {
+		encoded := base64.StdEncoding.EncodeToString([]byte(data.CertificateChain))
+		data.CertificateChain = string(encoded)
+	}
+	if data.PrivateKey != "" {
+		encoded := base64.StdEncoding.EncodeToString([]byte(data.PrivateKey))
+		data.PrivateKey = string(encoded)
+	}
 	err := json.NewEncoder(w).Encode(&data)
 	if err != nil {
 		httpError(w, http.StatusInternalServerError, "Failed to marshal json with TLS status: %s", err)
@@ -1057,6 +1065,7 @@ func handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
 			httpError(w, http.StatusBadRequest, "Failed to base64-decode certificate chain: %s", err)
 			return
 		}
+		data.CertificateChain = string(certPEM)
 
 		log.Printf("got certificate: %s", certPEM)
 
@@ -1067,6 +1076,8 @@ func handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
 				return
 			}
 
+			data.PrivateKey = string(keyPEM)
+
 			_, err = tls.X509KeyPair(certPEM, keyPEM)
 			if err != nil {
 				httpError(w, http.StatusBadRequest, "Invalid certificate or key: %s", err)