diff --git a/pikatasks/settings.py b/pikatasks/settings.py
index 46b322f895c3b7d1685d3ad702e75e11817d2b24..6717e8fbd2ece509743cfef8350a7c42dec2217a 100644
--- a/pikatasks/settings.py
+++ b/pikatasks/settings.py
@@ -23,16 +23,11 @@ CLIENT_EXCHANGE_NAME = ""  # empty string -> amq.default exchange
 WORKER_TASK_PROCESSES = 10  # this many processes will be executing tasks
 
 SSL_ENABLED = True
-SSL_CONF = {
-    # # See ssl.wrap_socket() documentation: https://docs.python.org/3.6/library/ssl.html#ssl.wrap_socket
-    # "keyfile": "/foo/client/key.pem",
-    # "certfile": "/foo/client/cert.pem",
-    # "ca_certs": "/foo/ca/cacert.pem",
-    # NOTE: The following values are not meant to be changed through settings
-    # because this would be a mess in deployment!
-    "ssl_version": ssl.PROTOCOL_TLSv1_2,
-    "cert_reqs": ssl.CERT_REQUIRED,
-}
+SSL_KEY_FILE = None
+SSL_CERT_FILE = None
+SSL_CA_CERTS = None
+SSL_VERSION = ssl.PROTOCOL_TLSv1_2
+SSL_CERT_REQS = ssl.CERT_REQUIRED
 
 # stuff you might want to change sometimes:
 RPC_TIMEOUT = timedelta(seconds=10)  # affects client behaviour and message TTL
@@ -51,11 +46,7 @@ try:
         if k.isupper() and not k.startswith("_"):  # looks like a setting
             try:
                 new_value = getattr(django_settings, "PIKATASKS_" + k)
-                if isinstance(globals()[k], dict):
-                    assert isinstance(new_value, dict), "{} needs to be a dictionary".format(k)
-                    globals()[k].update(new_value)
-                else:
-                    globals()[k] = new_value
+                globals()[k] = new_value
             except ImproperlyConfigured:
                 pass  # django is installed but not used
             except AttributeError:
diff --git a/pikatasks/utils.py b/pikatasks/utils.py
index 51d60388d463abc2e79659533f58e8bb5daffd74..6bcdd0d200f6acc7c5620b4e1014a22182444c26 100644
--- a/pikatasks/utils.py
+++ b/pikatasks/utils.py
@@ -16,12 +16,12 @@ def deserialize(binary):
     return json.loads(binary.decode("utf-8"))
 
 
-def get_ssl_options(ssl_settings):
+def get_ssl_options(settings):
     """ Create pika.SSLOptions based on pikatasks settings. """
-    context = ssl.SSLContext(ssl_settings.get('ssl_version'))
-    context.verify_mode = (ssl_settings.get('cert_reqs'))
-    context.load_verify_locations(ssl_settings.get('ca_certs'))
-    context.load_cert_chain(ssl_settings.get('certfile'), ssl_settings.get('keyfile'))
+    context = ssl.SSLContext(settings.SSL_VERSION)
+    context.verify_mode = settings.SSL_CERT_REQS
+    context.load_verify_locations(settings.SSL_CA_CERTS)
+    context.load_cert_chain(settings.SSL_CERT_FILE, settings.SSL_KEY_FILE)
     return pika.SSLOptions(context)
 
 
@@ -36,7 +36,7 @@ def get_pika_connection_parameters():
             ),
             # TODO: causes a warning when closing connections
             blocked_connection_timeout=settings.BLOCKED_CONNECTION_TIMEOUT.total_seconds(),
-            ssl_options=get_ssl_options(settings.SSL_CONF) if settings.SSL_ENABLED else None,
+            ssl_options=get_ssl_options(settings) if settings.SSL_ENABLED else None,
         )