diff --git a/jupyterhub/spawner.py b/jupyterhub/spawner.py
index 3b6510fc..343b565f 100644
--- a/jupyterhub/spawner.py
+++ b/jupyterhub/spawner.py
@@ -168,6 +168,7 @@ class Spawner(LoggingConfigurable):
     internal_ssl = Bool(False)
     internal_trust_bundles = Dict()
     internal_certs_location = Unicode('')
+    cert_paths = Dict()
     admin_access = Bool(False)
     api_token = Unicode()
     oauth_client_id = Unicode()
@@ -650,12 +651,10 @@ class Spawner(LoggingConfigurable):
         if self.cpu_guarantee:
             env['CPU_GUARANTEE'] = str(self.cpu_guarantee)
 
-        if self.internal_ssl:
-            paths = self.move_certs(self.create_certs())
-
-            env['JUPYTERHUB_NOTEBOOK_SSL_KEYFILE'] = paths['keyfile']
-            env['JUPYTERHUB_NOTEBOOK_SSL_CERTFILE'] = paths['certfile']
-            env['JUPYTERHUB_NOTEBOOK_SSL_CLIENT_CA'] = paths['cafile']
+        if self.cert_paths:
+            env['JUPYTERHUB_NOTEBOOK_SSL_KEYFILE'] = self.cert_paths['keyfile']
+            env['JUPYTERHUB_NOTEBOOK_SSL_CERTFILE'] = self.cert_paths['certfile']
+            env['JUPYTERHUB_NOTEBOOK_SSL_CLIENT_CA'] = self.cert_paths['cafile']
 
         return env
 
@@ -697,7 +696,7 @@ class Spawner(LoggingConfigurable):
         """
         return s.format(**self.template_namespace())
 
-    def create_certs(self, alt_names=None, override=False):
+    async def create_certs(self, alt_names=None, override=False):
         """Create and set ownership for the certs to be used for internal ssl
 
         Keyword Arguments:
@@ -748,7 +747,7 @@ class Spawner(LoggingConfigurable):
         }
         return paths
 
-    def move_certs(self, paths):
+    async def move_certs(self, paths):
         """Takes certificate paths and makes them available to the notebook server
 
         Arguments:
diff --git a/jupyterhub/user.py b/jupyterhub/user.py
index c9e71bef..7d0bb801 100644
--- a/jupyterhub/user.py
+++ b/jupyterhub/user.py
@@ -440,6 +440,11 @@ class User:
         try:
             # run optional preparation work to bootstrap the notebook
             await maybe_future(spawner.run_pre_spawn_hook())
+            if self.settings.get('internal_ssl'):
+                self.log.debug("Creating internal SSL certs for %s", spawner._log_name)
+                hub_paths = await maybe_future(spawner.create_certs())
+                spawner.cert_paths = await maybe_future(spawner.move_certs(hub_paths))
+            self.log.debug("Calling Spawner.start for %s", spawner._log_name)
             f = maybe_future(spawner.start())
             # commit any changes in spawner.start (always commit db changes before yield)
             db.commit()
@@ -536,11 +541,11 @@ class User:
         spawner.orm_spawner.state = spawner.get_state()
         db.commit()
         spawner._waiting_for_response = True
+        key = self.settings.get('internal_ssl_key')
+        cert = self.settings.get('internal_ssl_cert')
+        ca = self.settings.get('internal_ssl_ca')
+        ssl_context = make_ssl_context(key, cert, cafile=ca)
         try:
-            key = self.settings.get('internal_ssl_key')
-            cert = self.settings.get('internal_ssl_cert')
-            ca = self.settings.get('internal_ssl_ca')
-            ssl_context = make_ssl_context(key, cert, cafile=ca)
             resp = await server.wait_up(
                     http=True,
                     timeout=spawner.http_timeout,