diff --git a/pkg/forklift-api/services/tls-certificate.go b/pkg/forklift-api/services/tls-certificate.go
index c06ce665c..0ebeab577 100644
--- a/pkg/forklift-api/services/tls-certificate.go
+++ b/pkg/forklift-api/services/tls-certificate.go
@@ -23,6 +23,7 @@ func serveTlsCertificate(resp http.ResponseWriter, req *http.Request, client cli
 				Bytes: cacert.Raw,
 			})
 			if _, err := resp.Write(encoded); err == nil {
+				resp.Header().Set("Content-Type", "text/plain")
 				resp.WriteHeader(http.StatusOK)
 			} else {
 				msg := fmt.Sprintf("failed to write certificate: %s", string(encoded))
diff --git a/pkg/lib/util/util.go b/pkg/lib/util/util.go
index df05a0bdc..4622aa1b8 100644
--- a/pkg/lib/util/util.go
+++ b/pkg/lib/util/util.go
@@ -27,7 +27,7 @@ func GetTlsCertificate(url *liburl.URL, secret *core.Secret) (crt *x509.Certific
 
 	conn, err := tls.Dial("tcp", host, cfg)
 	if err == nil && len(conn.ConnectionState().PeerCertificates) > 0 {
-		crt, err = x509.ParseCertificate(conn.ConnectionState().PeerCertificates[0].Raw)
+		crt = conn.ConnectionState().PeerCertificates[0]
 	} else {
 		err = liberr.Wrap(err, "url", url)
 	}