diff --git a/endpoints/api/superuser.py b/endpoints/api/superuser.py
index 9a1da3dea..953c30960 100644
--- a/endpoints/api/superuser.py
+++ b/endpoints/api/superuser.py
@@ -3,6 +3,7 @@
 import logging
 import os
 import string
+import subprocess
 
 import pathvalidate
 
@@ -894,9 +895,27 @@ class SuperUserCustomCertificate(ApiResource):
       if not uploaded_file:
         abort(400)
 
+      # Save the certificate.
       certpath = pathvalidate.sanitize_filename(certpath)
+      if not certpath.endswith('.crt'):
+        abort(400)
+
       cert_full_path = os.path.join(EXTRA_CA_DIRECTORY, certpath)
       config_provider.save_volume_file(cert_full_path, uploaded_file)
+
+      # Validate the certificate.
+      try:
+        with config_provider.get_volume_file(cert_full_path) as f:
+          load_certificate(f.read())
+
+        # Call the update script to install the certificate immediately.
+        if not app.config['TESTING']:
+          subprocess.check_call(['/conf/init/certs_install.sh'])
+      except CertInvalidException:
+        pass
+      except IOError:
+        pass
+
       return '', 204
 
     abort(403)
diff --git a/static/directives/config/config-certificates-field.html b/static/directives/config/config-certificates-field.html
index 502475672..f20e4c459 100644
--- a/static/directives/config/config-certificates-field.html
+++ b/static/directives/config/config-certificates-field.html
@@ -12,6 +12,7 @@
           <p>
           Custom certificates are typically used in place of publicly signed certificates for corporate-internal services.
           </p>
+          <p>Please <strong>make sure</strong> that all custom names used for downstream services (such as Clair) are listed in the certificates below.</p>
         </div>
 
         <table class="config-table" style="margin-bottom: 20px;">
@@ -19,9 +20,10 @@
             <td>Upload certificates:</td>
             <td>
               <div class="file-upload-box"
-                     select-message="Select custom certificate to add to configuration. Must be in PEM format."
+                     select-message="Select custom certificate to add to configuration. Must be in PEM format and end extension '.crt'"
                      files-selected="handleCertsSelected(files, callback)"
-                     reset="resetUpload"></div>
+                     reset="resetUpload"
+                     extensions="['.crt']"></div>
             </td>
           </tr>
         </table>
@@ -33,7 +35,7 @@
             <td>Names Handled</td>
             <td class="options-col"></td>
           </thead>
-          <tr ng-repeat="certificate in certInfo.certs">
+          <tr ng-repeat="certificate in certInfo.certs" ng-if="!certsUploading">
             <td>{{ certificate.path }}</td>
             <td class="cert-status">
               <div ng-if="certificate.error" class="red">
@@ -62,7 +64,11 @@
             </td>
           </tr>
         </table>
-        <div class="empty" ng-if="!certInfo.certs.length" style="margin-top: 20px;">
+        <div ng-if="certsUploading" style="margin-top: 20px; text-align: center;">
+          <div class="cor-loader-inline"></div>
+          Uploading, validating and updating certificate(s)
+        </div>
+        <div class="empty" ng-if="!certInfo.certs.length && !certsUploading" style="margin-top: 20px;">
           <div class="empty-primary-msg">No custom certificates found.</div>
         </div>
       </div>
diff --git a/static/directives/file-upload-box.html b/static/directives/file-upload-box.html
index f188e4191..65cdf9d6c 100644
--- a/static/directives/file-upload-box.html
+++ b/static/directives/file-upload-box.html
@@ -2,7 +2,9 @@
   <div class="file-input-container">
     <div ng-show="state != 'uploading'">
       <form id="file-drop-form-{{ boxId }}">
-        <input id="file-drop-{{ boxId }}" name="file-drop-{{ boxId }}" class="file-drop" type="file" files-changed="handleFilesChanged(files)">
+        <input id="file-drop-{{ boxId }}" name="file-drop-{{ boxId }}" class="file-drop"
+               type="file" files-changed="handleFilesChanged(files)"
+               accept="{{ getAccepts(extensions) }}">
         <label for="file-drop-{{ boxId }}" ng-class="state">
           <span class="chosen-file">
             <span ng-if="selectedFiles.length">
diff --git a/static/js/core-config-setup.js b/static/js/core-config-setup.js
index 1347e82b0..719c9fe65 100644
--- a/static/js/core-config-setup.js
+++ b/static/js/core-config-setup.js
@@ -1322,10 +1322,12 @@ angular.module("core-config-setup", ['angularFileUpload'])
       },
       controller: function($scope, $element, $upload, ApiService, UserService) {
         $scope.resetUpload = 0;
+        $scope.certsUploading = false;
 
         var loadCertificates = function() {
           $scope.certificatesResource = ApiService.getCustomCertificatesAsResource().get(function(resp) {
             $scope.certInfo = resp;
+            $scope.certsUploading = false;
           });
         };
 
@@ -1336,6 +1338,7 @@ angular.module("core-config-setup", ['angularFileUpload'])
         });
 
         $scope.handleCertsSelected = function(files, callback) {
+          $scope.certsUploading = true;
           $upload.upload({
             url: '/api/v1/superuser/customcerts/' + files[0].name,
             method: 'POST',
diff --git a/static/js/directives/ui/file-upload-box.js b/static/js/directives/ui/file-upload-box.js
index 6a0931afa..25c09e5b6 100644
--- a/static/js/directives/ui/file-upload-box.js
+++ b/static/js/directives/ui/file-upload-box.js
@@ -15,6 +15,8 @@ angular.module('quay').directive('fileUploadBox', function () {
       'filesCleared': '&filesCleared',
       'filesValidated': '&filesValidated',
 
+      'extensions': '<extensions',
+
       'reset': '=?reset'
     },
     controller: function($rootScope, $scope, $element, ApiService) {
@@ -150,6 +152,14 @@ angular.module('quay').directive('fileUploadBox', function () {
         }
       };
 
+      $scope.getAccepts = function(extensions) {
+        if (!extensions || !extensions.length) {
+          return '*';
+        }
+
+        return extensions.join(',');
+      };
+
       $scope.$watch('reset', function(reset) {
         if (reset) {
           $scope.state = 'clear';
diff --git a/test/test_api_usage.py b/test/test_api_usage.py
index dd0094b8d..020a4faf9 100644
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@@ -4457,21 +4457,21 @@ class TestSuperUserCustomCertificates(ApiTestCase):
 
     # Upload a certificate.
     cert_contents, _ = generate_test_cert(hostname='somecoolhost', san_list=['DNS:bar', 'DNS:baz'])
-    self.postResponse(SuperUserCustomCertificate, params=dict(certpath='testcert'),
-                      file=(StringIO(cert_contents), 'testcert'), expected_code=204)
+    self.postResponse(SuperUserCustomCertificate, params=dict(certpath='testcert.crt'),
+                      file=(StringIO(cert_contents), 'testcert.crt'), expected_code=204)
 
     # Make sure it is present.
     json = self.getJsonResponse(SuperUserCustomCertificates)
     self.assertEquals(1, len(json['certs']))
 
     cert_info = json['certs'][0]
-    self.assertEquals('testcert', cert_info['path'])
+    self.assertEquals('testcert.crt', cert_info['path'])
 
     self.assertEquals(set(['somecoolhost', 'bar', 'baz']), set(cert_info['names']))
     self.assertFalse(cert_info['expired'])
 
     # Remove the certificate.
-    self.deleteResponse(SuperUserCustomCertificate, params=dict(certpath='testcert'))
+    self.deleteResponse(SuperUserCustomCertificate, params=dict(certpath='testcert.crt'))
 
     # Make sure it is gone.
     json = self.getJsonResponse(SuperUserCustomCertificates)
@@ -4482,15 +4482,15 @@ class TestSuperUserCustomCertificates(ApiTestCase):
 
     # Upload a certificate.
     cert_contents, _ = generate_test_cert(hostname='somecoolhost', expires=-10)
-    self.postResponse(SuperUserCustomCertificate, params=dict(certpath='testcert'),
-                      file=(StringIO(cert_contents), 'testcert'), expected_code=204)
+    self.postResponse(SuperUserCustomCertificate, params=dict(certpath='testcert.crt'),
+                      file=(StringIO(cert_contents), 'testcert.crt'), expected_code=204)
 
     # Make sure it is present.
     json = self.getJsonResponse(SuperUserCustomCertificates)
     self.assertEquals(1, len(json['certs']))
 
     cert_info = json['certs'][0]
-    self.assertEquals('testcert', cert_info['path'])
+    self.assertEquals('testcert.crt', cert_info['path'])
 
     self.assertEquals(set(['somecoolhost']), set(cert_info['names']))
     self.assertTrue(cert_info['expired'])
@@ -4499,15 +4499,15 @@ class TestSuperUserCustomCertificates(ApiTestCase):
     self.login(ADMIN_ACCESS_USER)
 
     # Upload an invalid certificate.
-    self.postResponse(SuperUserCustomCertificate, params=dict(certpath='testcert'),
-                      file=(StringIO('some contents'), 'testcert'), expected_code=204)
+    self.postResponse(SuperUserCustomCertificate, params=dict(certpath='testcert.crt'),
+                      file=(StringIO('some contents'), 'testcert.crt'), expected_code=204)
 
     # Make sure it is present but invalid.
     json = self.getJsonResponse(SuperUserCustomCertificates)
     self.assertEquals(1, len(json['certs']))
 
     cert_info = json['certs'][0]
-    self.assertEquals('testcert', cert_info['path'])
+    self.assertEquals('testcert.crt', cert_info['path'])
     self.assertEquals('no start line', cert_info['error'])
 
   def test_path_sanitization(self):
@@ -4515,15 +4515,15 @@ class TestSuperUserCustomCertificates(ApiTestCase):
 
     # Upload a certificate.
     cert_contents, _ = generate_test_cert(hostname='somecoolhost', expires=-10)
-    self.postResponse(SuperUserCustomCertificate, params=dict(certpath='testcert/../foobar'),
-                      file=(StringIO(cert_contents), 'testcert/../foobar'), expected_code=204)
+    self.postResponse(SuperUserCustomCertificate, params=dict(certpath='testcert/../foobar.crt'),
+                      file=(StringIO(cert_contents), 'testcert/../foobar.crt'), expected_code=204)
 
     # Make sure it is present.
     json = self.getJsonResponse(SuperUserCustomCertificates)
     self.assertEquals(1, len(json['certs']))
 
     cert_info = json['certs'][0]
-    self.assertEquals('foobar', cert_info['path'])
+    self.assertEquals('foobar.crt', cert_info['path'])
 
 
 class TestSuperUserTakeOwnership(ApiTestCase):