diff --git a/charts/virtual-kubelet/templates/deployment.yaml b/charts/virtual-kubelet/templates/deployment.yaml
index 7e29339c2..c7cde749b 100644
--- a/charts/virtual-kubelet/templates/deployment.yaml
+++ b/charts/virtual-kubelet/templates/deployment.yaml
@@ -15,26 +15,38 @@ spec:
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         env:
         - name: AZURE_AUTH_LOCATION
-          value: /etc/virtual-kubelet/credentials.json
+          value: /etc/virtual-kubelet/auth/credentials.json
         - name: ACI_RESOURCE_GROUP
           value: {{ .Values.env.aciResourceGroup }}
         - name: ACI_REGION
           value: {{ default "westus" .Values.env.aciRegion }}
-        - name: APISERVER_CERT
-          value: {{ .Values.env.apiserverCert | quote }}
-        - name: APISERVER_KEY
-          value: {{ .Values.env.apiserverKey | quote }}
+        - name: APISERVER_CERT_LOCATION
+          value: /etc/virtual-kubelet/apiservercert/cert.pem
+        - name: APISERVER_KEY_LOCATION
+          value: /etc/virtual-kubelet/apiserverkey/key.pem
         - name: VKUBELET_POD_IP
           valueFrom:
             fieldRef:
               fieldPath: status.podIP
         volumeMounts:
         - name: credentials
-          mountPath: "/etc/virtual-kubelet"
+          mountPath: "/etc/virtual-kubelet/auth"
+          readOnly: true
+        - name: apiservercert
+          mountPath: "/etc/virtual-kubelet/apiservercert"
+          readOnly: true
+        - name: apiserverkey
+          mountPath: "/etc/virtual-kubelet/apiserverkey"
           readOnly: true
         command: ["virtual-kubelet"]
         args: ["--provider", "azure", "--namespace", "default", "--nodename", {{ default "virtual-kubelet" .Values.env.nodeName | quote }} , "--os", {{ default "Linux" .Values.env.nodeOsType | quote }}, "--taint", {{ default "azure.com/aci" .Values.env.nodeTaint | quote }}]
       volumes:
       - name: credentials
         secret:
-          secretName: {{ template "fullname" . }}
\ No newline at end of file
+          secretName: {{ template "fullname" . }}
+      - name: apiservercert
+        secret:
+          secretName: {{ template "fullname" . }}
+      - name: apiserverkey
+        secret:
+          secretName: {{ template "fullname" . }}
diff --git a/charts/virtual-kubelet/templates/secrets.yaml b/charts/virtual-kubelet/templates/secrets.yaml
index f0ea54406..d68ab6e34 100644
--- a/charts/virtual-kubelet/templates/secrets.yaml
+++ b/charts/virtual-kubelet/templates/secrets.yaml
@@ -4,4 +4,6 @@ metadata:
   name: {{ template "fullname" . }}
 type: Opaque
 data:
-  credentials.json: {{ printf "{ \"clientId\": \"%s\", \"clientSecret\": \"%s\", \"subscriptionId\": \"%s\", \"tenantId\": \"%s\", \"activeDirectoryEndpointUrl\": \"https://login.microsoftonline.com/\", \"resourceManagerEndpointUrl\": \"https://management.azure.com/\", \"activeDirectoryGraphResourceId\": \"https://graph.windows.net/\", \"sqlManagementEndpointUrl\": \"database.windows.net\", \"galleryEndpointUrl\": \"https://gallery.azure.com/\", \"managementEndpointUrl\": \"https://management.core.windows.net/\" }" (default "MISSING" .Values.env.azureClientId) (default "MISSING" .Values.env.azureClientKey) (default "MISSING" .Values.env.azureSubscriptionId) (default "MISSING" .Values.env.azureTenantId) | b64enc | quote }}
\ No newline at end of file
+  credentials.json: {{ printf "{ \"clientId\": \"%s\", \"clientSecret\": \"%s\", \"subscriptionId\": \"%s\", \"tenantId\": \"%s\", \"activeDirectoryEndpointUrl\": \"https://login.microsoftonline.com/\", \"resourceManagerEndpointUrl\": \"https://management.azure.com/\", \"activeDirectoryGraphResourceId\": \"https://graph.windows.net/\", \"sqlManagementEndpointUrl\": \"database.windows.net\", \"galleryEndpointUrl\": \"https://gallery.azure.com/\", \"managementEndpointUrl\": \"https://management.core.windows.net/\" }" (default "MISSING" .Values.env.azureClientId) (default "MISSING" .Values.env.azureClientKey) (default "MISSING" .Values.env.azureSubscriptionId) (default "MISSING" .Values.env.azureTenantId) | b64enc | quote }}
+  cert.pem: {{ printf "%s" (default "MISSING" .Values.env.apiserverCert) | quote }}
+  key.pem: {{ printf "%s" (default "MISSING" .Values.env.apiserverKey) | quote }}
diff --git a/vkubelet/apiserver.go b/vkubelet/apiserver.go
index 1313195f8..2fce034e8 100644
--- a/vkubelet/apiserver.go
+++ b/vkubelet/apiserver.go
@@ -1,8 +1,6 @@
 package vkubelet
 
 import (
-	"encoding/base64"
-	"io/ioutil"
 	"io"
 	"log"
 	"net/http"
@@ -14,34 +12,13 @@ var p Provider
 func ApiserverStart(provider Provider) error {
 	p = provider
 	http.HandleFunc("/", ApiServerHandler)
-	certValue64 := os.Getenv("APISERVER_CERT")
-	keyValue64 := os.Getenv("APISERVER_KEY")
-	certValue, err := base64.StdEncoding.DecodeString(certValue64)
+	certFilePath := os.Getenv("APISERVER_CERT_LOCATION")
+	keyFilePath := os.Getenv("APISERVER_KEY_LOCATION")
+	err := http.ListenAndServeTLS(":10250", certFilePath, keyFilePath, nil)
 	if err != nil {
 		log.Fatal(err)
 	}
-	keyValue, err := base64.StdEncoding.DecodeString(keyValue64)
-	if err != nil {
-		log.Fatal(err)
-	}
-	cert := []byte(certValue)
- 	key := []byte(keyValue)
- 	certFilePath := "cert.pem"
- 	keyFilePath := "key.pem"
- 	err = ioutil.WriteFile(certFilePath, cert, 0644)
- 	if err != nil {
-		log.Fatal(err)
-	}
-	err = ioutil.WriteFile(keyFilePath, key, 0644)
- 	if err != nil {
-		log.Fatal(err)
-	}
-
-	err = http.ListenAndServeTLS(":10250", certFilePath, keyFilePath, nil)
-	if err != nil {
-		log.Fatal(err)
-	}
-	return nil
+	return err
 }
 
 func ApiServerHandler(w http.ResponseWriter, req *http.Request) {