diff --git a/database/certcache.go b/database/certcache.go
index 5cc5057..3570042 100644
--- a/database/certcache.go
+++ b/database/certcache.go
@@ -1,6 +1,7 @@
 package database
 
 import (
+	"errors"
 	"log"
 
 	r "github.com/GoRethink/gorethink"
@@ -57,6 +58,15 @@ func (c *CertCache) Get(ctx context.Context, key string) ([]byte, error) {
 	switch cert.CryptoLevel {
 	case CryptoLevelNone:
 		body = cert.Body
+	case CryptoLevelSecretbox:
+		if c.SimpleBox == nil {
+			return nil, errors.New("can't read this cert, no key in memory")
+		}
+
+		body, err = c.SimpleBox.Decrypt(cert.Body)
+		if err != nil {
+			return nil, autocert.ErrCacheMiss
+		}
 	}
 
 	log.Printf("certcache: fetched: %s", key)