diff --git a/database/boltdb.go b/database/boltdb.go
index 8671fc8..d2802c5 100644
--- a/database/boltdb.go
+++ b/database/boltdb.go
@@ -60,11 +60,11 @@ func (b *BoltDBStorage) GetRoute(ctx context.Context, host string) (Route, error
 
 		switch err {
 		case storm.ErrNotFound:
-			return errors.Wrapf(err, "%v", ErrNoSuchRoute)
-		case storm.AlreadyExists:
-			return errors.Wrapf(err, "%v", ErrRouteAlreadyExists)
+			return Route{}, errors.Wrapf(err, "%v", ErrNoSuchRoute)
+		case storm.ErrAlreadyExists:
+			return Route{}, errors.Wrapf(err, "%v", ErrRouteAlreadyExists)
 		default:
-			return errors.Wrapf(err, "%v", ErrUnknown)
+			return Route{}, errors.Wrapf(err, "%v", ErrUnknown)
 		}
 	}
 
diff --git a/database/cert.go b/database/cert.go
new file mode 100644
index 0000000..784bd32
--- /dev/null
+++ b/database/cert.go
@@ -0,0 +1,22 @@
+package database
+
+// CryptoLevel indicates what form of cryptography the certificate is stored
+// with.
+type CryptoLevel int
+
+// Crypto levels / strategies defined
+const (
+	// NOTE: this is defined for debugging / testing usage only
+	CryptoLevelNone CryptoLevel = iota
+
+	// Use the global set of secretbox keys
+	CryptoLevelSecretbox
+)
+
+// CachedCert is an individual cached certificate in the database.
+type CachedCert struct {
+	Key         string      `gorethink:"id" storm:"id"`
+	CryptoLevel CryptoLevel `gorethink:"cryptoLevel"`
+	// PEM-encoded bytes with the above crypto level as a filter.
+	Body []byte `gorethink:"body"`
+}
diff --git a/database/storage.go b/database/storage.go
index e9783f1..5f597d5 100644
--- a/database/storage.go
+++ b/database/storage.go
@@ -9,7 +9,7 @@ import (
 type Storage interface {
 	// routes
 	GetRoute(ctx context.Context, host string) (Route, error)
-	GetAllRoutes(ctx context.Context) ([]Route, error)
+	GetAllRoutes(ctx context.Context, user string) ([]Route, error)
 	PutRoute(ctx context.Context, domain, kind string) (Route, error)
 	DeleteRoute(ctx context.Context, id string) error