diff --git a/server/private/lib/certificates.ts b/server/private/lib/certificates.ts
index 4efc397e..2ca967be 100644
--- a/server/private/lib/certificates.ts
+++ b/server/private/lib/certificates.ts
@@ -19,18 +19,26 @@ import * as fs from "fs";
 import NodeCache from "node-cache";
 import logger from "@server/logger";
 
-const encryptionKeyPath =
-    config.getRawPrivateConfig().server.encryption_key_path;
+let encryptionKeyPath = "";
+let encryptionKeyHex = "";
+let encryptionKey: Buffer;
+function loadEncryptData() {
+    if (encryptionKey) {
+        return; // already loaded
+    }
 
-if (!fs.existsSync(encryptionKeyPath)) {
-    throw new Error(
-        "Encryption key file not found. Please generate one first."
-    );
+    encryptionKeyPath = config.getRawPrivateConfig().server.encryption_key_path;
+
+    if (!fs.existsSync(encryptionKeyPath)) {
+        throw new Error(
+            "Encryption key file not found. Please generate one first."
+        );
+    }
+
+    encryptionKeyHex = fs.readFileSync(encryptionKeyPath, "utf8").trim();
+    encryptionKey = Buffer.from(encryptionKeyHex, "hex");
 }
 
-const encryptionKeyHex = fs.readFileSync(encryptionKeyPath, "utf8").trim();
-const encryptionKey = Buffer.from(encryptionKeyHex, "hex");
-
 // Define the return type for clarity and type safety
 export type CertificateResult = {
     id: number;
@@ -50,6 +58,9 @@ export async function getValidCertificatesForDomains(
     domains: Set<string>,
     useCache: boolean = true
 ): Promise<Array<CertificateResult>> {
+
+    loadEncryptData(); // Ensure encryption key is loaded
+
     const finalResults: CertificateResult[] = [];
     const domainsToQuery = new Set<string>();
 
@@ -151,7 +162,9 @@ export async function getValidCertificatesForDomains(
 
         // If a certificate was found, format it, add to results, and cache it
         if (foundCert) {
-            logger.debug(`Creating result cert for ${domain} using cert from ${foundCert.domain}`);
+            logger.debug(
+                `Creating result cert for ${domain} using cert from ${foundCert.domain}`
+            );
             const resultCert: CertificateResult = {
                 id: foundCert.certId,
                 domain: foundCert.domain, // The actual domain of the cert record
@@ -172,7 +185,6 @@ export async function getValidCertificatesForDomains(
         }
     }
 
-
     const decryptedResults = decryptFinalResults(finalResults);
     return decryptedResults;
 }
diff --git a/server/private/lib/readConfigFile.ts b/server/private/lib/readConfigFile.ts
index 6651c1c6..7a65f795 100644
--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -172,6 +172,12 @@ export function readPrivateConfigFile() {
         return {};
     }
 
+    // test if the config file is there
+    if (!fs.existsSync(privateConfigFilePath1)) {
+        // load the default values of the zod schema and return those
+        return privateConfigSchema.parse({});
+    }
+
     const loadConfig = (configPath: string) => {
         try {
             const yamlContent = fs.readFileSync(configPath, "utf8");
diff --git a/server/private/routers/hybrid.ts b/server/private/routers/hybrid.ts
index 54c823a5..df99df92 100644
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -292,11 +292,33 @@ hybridRouter.get(
     }
 );
 
+let encryptionKeyPath = "";
+let encryptionKeyHex = "";
+let encryptionKey: Buffer;
+function loadEncryptData() {
+    if (encryptionKey) {
+        return; // already loaded
+    }
+
+    encryptionKeyPath = privateConfig.getRawPrivateConfig().server.encryption_key_path;
+
+    if (!fs.existsSync(encryptionKeyPath)) {
+        throw new Error(
+            "Encryption key file not found. Please generate one first."
+        );
+    }
+
+    encryptionKeyHex = fs.readFileSync(encryptionKeyPath, "utf8").trim();
+    encryptionKey = Buffer.from(encryptionKeyHex, "hex");
+}
+
 // Get valid certificates for given domains (supports wildcard certs)
 hybridRouter.get(
     "/certificates/domains",
     async (req: Request, res: Response, next: NextFunction) => {
         try {
+            loadEncryptData(); // Ensure encryption key is loaded
+
             const parsed = getCertificatesByDomainsQuerySchema.safeParse(
                 req.query
             );
@@ -425,20 +447,6 @@ hybridRouter.get(
                 filtered.push(cert);
             }
 
-            const encryptionKeyPath =
-                privateConfig.getRawPrivateConfig().server.encryption_key_path;
-
-            if (!fs.existsSync(encryptionKeyPath)) {
-                throw new Error(
-                    "Encryption key file not found. Please generate one first."
-                );
-            }
-
-            const encryptionKeyHex = fs
-                .readFileSync(encryptionKeyPath, "utf8")
-                .trim();
-            const encryptionKey = Buffer.from(encryptionKeyHex, "hex");
-
             const result = filtered.map((cert) => {
                 // Decrypt and save certificate file
                 const decryptedCert = decryptData(