diff --git a/postgrest/tpl/nginx.conf b/postgrest/tpl/nginx.conf
index 98ca22f7d34980ac9defb835097574e16863a544..506e8fb3946934485e173444a9bb789a956a1f64 100644
--- a/postgrest/tpl/nginx.conf
+++ b/postgrest/tpl/nginx.conf
@@ -37,14 +37,14 @@ server {
     ssl_session_timeout         5m;
 
     ssl                         on;
-    ssl_certificate             /root/certs/{{ nginx_conf.get('ssl_cert_name', instance_name) }}.pem;
-    ssl_certificate_key         /root/certs/{{ nginx_conf.get('ssl_cert_name', instance_name) }}.key;
+    ssl_certificate             /etc/hsh-certs/{{ nginx_conf.get('ssl_cert_name', instance_name) }}.pem;
+    ssl_certificate_key         /etc/hsh-certs/{{ nginx_conf.get('ssl_cert_name', instance_name) }}.key;
 
     # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
-    ssl_dhparam                 /root/certs/{{ nginx_conf.get('ssl_cert_name', instance_name) }}.dhparam.pem;
+    ssl_dhparam                 /etc/hsh-certs/{{ nginx_conf.get('ssl_cert_name', instance_name) }}.dhparam.pem;
     {% if nginx_conf.client_ca is defined %}
     ssl_verify_client           on;
-    ssl_client_certificate      /root/certs/{{ nginx_conf.get('ssl_cert_name'), instance_name }}
+    ssl_client_certificate      /etc/hsh-certs/{{ nginx_conf.get('ssl_cert_name'), instance_name }}
     {% endif %}
 
     ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;