diff --git a/lemur/certificates/schemas.py b/lemur/certificates/schemas.py
index 23e98ae2..b352ffe4 100644
--- a/lemur/certificates/schemas.py
+++ b/lemur/certificates/schemas.py
@@ -114,7 +114,7 @@ class CertificateOutputSchema(LemurOutputSchema):
     signing_algorithm = fields.String()
     status = fields.Boolean()
     user = fields.Nested(UserNestedOutputSchema)
-    domains = fields.Nested(DomainNestedOutputSchema)
+    domains = fields.Nested(DomainNestedOutputSchema, many=True)
     destinations = fields.Nested(DestinationNestedOutputSchema, many=True)
     notifications = fields.Nested(NotificationNestedOutputSchema, many=True)
     replaces = fields.Nested(CertificateNestedOutputSchema, many=True)
diff --git a/lemur/certificates/service.py b/lemur/certificates/service.py
index 54808a94..45b1c1ec 100644
--- a/lemur/certificates/service.py
+++ b/lemur/certificates/service.py
@@ -21,6 +21,7 @@ from lemur.authorities.models import Authority
 from lemur.domains.models import Domain
 
 from lemur.roles.models import Role
+from lemur.roles import service as role_service
 
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
@@ -115,6 +116,21 @@ def update(cert_id, owner, description, active, destinations, notifications, rep
     return database.update(cert)
 
 
+def create_certificate_roles(**kwargs):
+    # create an role for the owner and assign it
+    owner_role = role_service.get_by_name(kwargs['owner'])
+    if not owner_role:
+        owner_role = role_service.create(
+            kwargs['owner'],
+            description="Auto generated role based on owner: {0}".format(kwargs['owner'])
+        )
+
+    if kwargs.get('roles'):
+        kwargs['roles'].append(owner_role)
+
+    return kwargs
+
+
 def mint(**kwargs):
     """
     Minting is slightly different for each authority.
@@ -164,6 +180,8 @@ def upload(**kwargs):
     """
     Allows for pre-made certificates to be imported into Lemur.
     """
+    kwargs = create_certificate_roles(**kwargs)
+
     cert = Certificate(**kwargs)
 
     # we override the generated name if one is provided
@@ -187,6 +205,8 @@ def create(**kwargs):
     kwargs['private_key'] = private_key
     kwargs['chain'] = cert_chain
 
+    kwargs = create_certificate_roles(**kwargs)
+
     cert = Certificate(**kwargs)
 
     # we override the generated name if one is provided