diff --git a/acme/client.go b/acme/client.go
index 5016ecdb..dfbacb4e 100644
--- a/acme/client.go
+++ b/acme/client.go
@@ -357,7 +357,7 @@ func (c *Client) requestCertificate(authz *authorizationResource, result chan Ce
 			// Otherwise the body is the certificate.
 			if len(cert) > 0 {
 				cerRes.CertStableURL = resp.Header.Get("Content-Location")
-				cerRes.Certificate = pemEncode(cert)
+				cerRes.Certificate = pemEncode(derCertificateBytes(cert))
 				result <- cerRes
 			} else {
 				// The certificate was granted but is not yet issued.
diff --git a/acme/crypto.go b/acme/crypto.go
index 7df778f8..27ae6bc0 100644
--- a/acme/crypto.go
+++ b/acme/crypto.go
@@ -10,6 +10,8 @@ import (
 	"time"
 )
 
+type derCertificateBytes []byte
+
 func generatePrivateKey(keyLength int) (*rsa.PrivateKey, error) {
 	return rsa.GenerateKey(rand.Reader, keyLength)
 }
@@ -30,7 +32,7 @@ func pemEncode(data interface{}) []byte {
 	case *rsa.PrivateKey:
 		pemBlock = &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}
 		break
-	case []byte:
+	case derCertificateBytes:
 		pemBlock = &pem.Block{Type: "CERTIFICATE", Bytes: data.([]byte)}
 	}