diff --git a/hooks/ssl_utils.py b/hooks/ssl_utils.py
index f5255f78..553a47e9 100644
--- a/hooks/ssl_utils.py
+++ b/hooks/ssl_utils.py
@@ -23,6 +23,7 @@ from charmhelpers.core.hookenv import (
 )
 
 import base64
+import binascii
 
 
 def get_ssl_mode():
@@ -53,8 +54,13 @@ def configure_client_ssl(relation_data):
     relation_data['ssl_port'] = config('ssl_port')
     if external_ca:
         if config('ssl_ca'):
-            relation_data['ssl_ca'] = base64.b64encode(
-                config('ssl_ca'))
+            try:
+                base64.decodestring(config('ssl_ca'))
+                # No need to encode it, it is already encoded.
+                ssl_ca_encoded = config('ssl_ca')
+            except binascii.Error:
+                ssl_ca_encoded = base64.b64encode(config('ssl_ca'))
+            relation_data['ssl_ca'] = ssl_ca_encoded
         return
     ca = ServiceCA.get_ca()
     relation_data['ssl_ca'] = base64.b64encode(ca.get_ca_bundle())
diff --git a/unit_tests/test_ssl_utils.py b/unit_tests/test_ssl_utils.py
index 6664e90e..65ecd571 100644
--- a/unit_tests/test_ssl_utils.py
+++ b/unit_tests/test_ssl_utils.py
@@ -110,6 +110,19 @@ class TestSSLUtils(CharmTestCase):
             relation_data,
             {'ssl_port': '9090', 'ssl_ca': 'ZXh0X2Nh'})
 
+    @patch('ssl_utils.get_ssl_mode')
+    def test_get_ssl_mode_ssl_on_ext_ca_b64(self, get_ssl_mode):
+        get_ssl_mode.return_value = ('on', True)
+        test_config = {
+            'ssl_port': '9090',
+            'ssl_ca': 'ZXh0X2Nh'}
+        self.config.side_effect = lambda x: test_config[x]
+        relation_data = {}
+        ssl_utils.configure_client_ssl(relation_data)
+        self.assertEqual(
+            relation_data,
+            {'ssl_port': '9090', 'ssl_ca': 'ZXh0X2Nh'})
+
     @patch('ssl_utils.local_unit')
     @patch('ssl_utils.relation_ids')
     @patch('ssl_utils.relation_get')