diff --git a/aperture.go b/aperture.go
index 43e6999..daa01cc 100644
--- a/aperture.go
+++ b/aperture.go
@@ -35,6 +35,10 @@ const (
 	// represent a path-like structure.
 	etcdKeyDelimeter = "/"
 
+	// selfSignedCertOrganization is the static string that we encode in the
+	// organization field of a certificate if we create it ourselves.
+	selfSignedCertOrganization = "aperture autogenerated cert"
+
 	// selfSignedCertValidity is the certificate validity duration we are
 	// using for aperture certificates. This is higher than lnd's default
 	// 14 months and is set to a maximum just below what some operating
@@ -331,7 +335,7 @@ func getTLSConfig(serverName string, autoCert bool) (*tls.Config, error) {
 	if !fileExists(tlsCertFile) && !fileExists(tlsKeyFile) {
 		log.Infof("Generating TLS certificates...")
 		err := cert.GenCertPair(
-			"aperture autogenerated cert", tlsCertFile, tlsKeyFile,
+			selfSignedCertOrganization, tlsCertFile, tlsKeyFile,
 			nil, nil, selfSignedCertValidity,
 		)
 		if err != nil {
@@ -353,9 +357,16 @@ func getTLSConfig(serverName string, autoCert bool) (*tls.Config, error) {
 		-1 * selfSignedCertExpiryMargin,
 	)
 
+	// We only want to renew a certificate that we created ourselves. If
+	// we are using a certificate that was passed to us (perhaps created by
+	// an externally running Let's Encrypt process) we aren't going to try
+	// to replace it.
+	isSelfSigned := len(parsedCert.Subject.Organization) > 0 &&
+		parsedCert.Subject.Organization[0] == selfSignedCertOrganization
+
 	// If the certificate expired or it was outdated, delete it and the TLS
 	// key and generate a new pair.
-	if time.Now().After(expiryWithMargin) {
+	if isSelfSigned && time.Now().After(expiryWithMargin) {
 		log.Info("TLS certificate will expire soon, generating a " +
 			"new one")
 
@@ -371,7 +382,7 @@ func getTLSConfig(serverName string, autoCert bool) (*tls.Config, error) {
 
 		log.Infof("Renewing TLS certificates...")
 		err = cert.GenCertPair(
-			"aperture autogenerated cert", tlsCertFile, tlsKeyFile,
+			selfSignedCertOrganization, tlsCertFile, tlsKeyFile,
 			nil, nil, selfSignedCertValidity,
 		)
 		if err != nil {