diff --git a/docs/tutorials/setting-up.md b/docs/tutorials/setting-up.md
index 6dd0615..86dcd5d 100644
--- a/docs/tutorials/setting-up.md
+++ b/docs/tutorials/setting-up.md
@@ -71,17 +71,9 @@ You still need to make keys readable for maddy, though:
 $ sudo setfacl -R -m u:maddy:rX /etc/letsencrypt/{live,archive}
 ```
 
-Additionally, it is a good idea to automatically restart
-maddy on certificate renewal.
-Put that into /etc/letsencrypt/renewal-hooks/post/restart:
-```shell
-#!/bin/bash
-systemctl restart maddy
-```
-And make it executable:
-```
-$ sudo chmod +x /etc/letsencrypt/renewal-hooks/post/restart
-```
+maddy reloads TLS certificates from disk once in a minute so it will notice
+renewal. It is possible to force reload via `systemctl reload maddy` (or just
+`killall -USR2 maddy`).
 
 ## First run
 
diff --git a/internal/config/tls_server.go b/internal/config/tls_server.go
index 9721498..40e6521 100644
--- a/internal/config/tls_server.go
+++ b/internal/config/tls_server.go
@@ -33,7 +33,7 @@ func (cfg *TLSConfig) Get() *tls.Config {
 	return cfg.cfg.Clone()
 }
 
-func (cfg *TLSConfig) read(m *Map, node *Node) error {
+func (cfg *TLSConfig) read(m *Map, node *Node, generateSelfSig bool) error {
 	cfg.l.Lock()
 	defer cfg.l.Unlock()
 
@@ -44,6 +44,10 @@ func (cfg *TLSConfig) read(m *Map, node *Node) error {
 			cfg.cfg = nil
 			return nil
 		case "self_signed":
+			if !generateSelfSig {
+				return nil
+			}
+
 			tlsCfg := &tls.Config{
 				MinVersion: tls.VersionTLS10,
 				MaxVersion: tls.VersionTLS13,
@@ -79,16 +83,25 @@ func TLSDirective(m *Map, node *Node) (interface{}, error) {
 	cfg := TLSConfig{
 		initCfg: node,
 	}
-	if err := cfg.read(m, node); err != nil {
+	if err := cfg.read(m, node, true); err != nil {
 		return nil, err
 	}
 
 	hooks.AddHook(hooks.EventReload, func() {
-		log.Debugln("reloading TLS configuration")
-		if err := cfg.read(NewMap(nil, cfg.initCfg), cfg.initCfg); err != nil {
-			log.DefaultLogger.Error("failed to reload TLS config", err)
+		log.Debugln("tls: reloading certificates")
+		if err := cfg.read(NewMap(nil, cfg.initCfg), cfg.initCfg, false); err != nil {
+			log.DefaultLogger.Error("tls: failed to load new certs", err)
 		}
 	})
+	go func() {
+		t := time.NewTicker(1 * time.Minute)
+		for range t.C {
+			log.Debugln("tls: reloading certificates")
+			if err := cfg.read(NewMap(nil, cfg.initCfg), cfg.initCfg, false); err != nil {
+				log.DefaultLogger.Error("tls: failed to load new certs", err)
+			}
+		}
+	}()
 
 	// Return nil so callers can check whether TLS is enabled easier.
 	if cfg.cfg == nil {