diff --git a/server/certificates/certificates.go b/server/certificates/certificates.go
index d05355c..64981ef 100644
--- a/server/certificates/certificates.go
+++ b/server/certificates/certificates.go
@@ -185,13 +185,13 @@ func (c *AcmeClient) retrieveCertFromDB(sni, mainDomainSuffix string, useDnsProv
 	if err != nil {
 		return nil, err
 	}
-	tlsCertificate.Leaf, err = leaf(&tlsCertificate)
-	if err != nil {
-		return nil, err
-	}
 
 	// TODO: document & put into own function
 	if !strings.EqualFold(sni, mainDomainSuffix) {
+		tlsCertificate.Leaf, err = leaf(&tlsCertificate)
+		if err != nil {
+			return nil, err
+		}
 		// renew certificates 7 days before they expire
 		if tlsCertificate.Leaf.NotAfter.Before(time.Now().Add(7 * 24 * time.Hour)) {
 			// TODO: use ValidTill of custom cert struct
@@ -229,10 +229,6 @@ func (c *AcmeClient) obtainCert(acmeClient *lego.Client, domains []string, renew
 		if err != nil {
 			return nil, fmt.Errorf("certificate failed in synchronous request: %w", err)
 		}
-		cert.Leaf, err = leaf(cert)
-		if err != nil {
-			return nil, err
-		}
 		return cert, nil
 	}
 	defer c.obtainLocks.Delete(name)
@@ -320,10 +316,6 @@ func (c *AcmeClient) obtainCert(acmeClient *lego.Client, domains []string, renew
 	if err != nil {
 		return nil, err
 	}
-	tlsCertificate.Leaf, err = leaf(&tlsCertificate)
-	if err != nil {
-		return nil, err
-	}
 	return &tlsCertificate, nil
 }