diff --git a/Dockerfile b/Dockerfile
index 520d538..e8ded3c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -11,5 +11,8 @@ COPY templates templates
 RUN nunjucks-precompile --include snippets --include views templates >> js/bundle.js
 RUN bash -c 'cat /usr/lib/node_modules/{jquery/dist/jquery.min.js,tether/dist/js/tether.min.js,bootstrap/dist/js/bootstrap.min.js,node-forge/dist/forge.all.min.js,qrcode-svg/dist/qrcode.min.js,timeago/jquery.timeago.js,nunjucks/browser/nunjucks-slim.min.js,xterm/lib/xterm.js} >> js/bundle.js'
 RUN bash -c 'cat /usr/lib/node_modules/{tether/dist/css/tether.min.css,bootstrap/dist/css/bootstrap.min.css,font-awesome/css/font-awesome.min.css,xterm/css/xterm.css} >> css/bundle.css'
+RUN mkdir /frontend-secrets
+RUN ln -s ../server-secrets/self_cert.pem /frontend-secrets/cert.pem
+RUN ln -s ../server-secrets/self_key.pem /frontend-secrets/key.pem
 COPY entrypoint.sh /entrypoint.sh
 ENTRYPOINT /entrypoint.sh
diff --git a/nginx.conf b/nginx.conf
index 128439a..41274f8 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -61,10 +61,6 @@ http {
     proxy_read_timeout 600;
     send_timeout 600;
 
-    # To use CA-s own certificate for frontend and mutually authenticated connections
-    ssl_certificate /server-secrets/self_cert.pem;
-    ssl_certificate_key /server-secrets/self_key.pem;
-
     server {
         # Section for serving insecure HTTP, note that this is suitable for
         # OCSP, CRL-s etc which is already covered by PKI protection mechanisms.
@@ -97,6 +93,10 @@ http {
         # once it has been configured
         add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
 
+        # Bind mount this directory to use Let's Encrypt keypair for frontend
+        ssl_certificate /frontend-secrets/cert.pem;
+        ssl_certificate_key /frontend-secrets/key.pem;
+
         #proxy pass event
         location /api/event/ {
             proxy_buffering off;
@@ -147,6 +147,10 @@ http {
         ssl_verify_client optional;
         ssl_client_certificate /server-secrets/ca_cert.pem;
 
+        # Use same keypair used by IPSec, OpenVPN
+        ssl_certificate /server-secrets/self_cert.pem;
+        ssl_certificate_key /server-secrets/self_key.pem;
+
         # Proxy pass to backend
         location /api/ {
             proxy_pass http://read-write;