--- libhttp/http.h
+++ libhttp/http.h
@@ -104,8 +104,9 @@
 int  serverSupportsSSL();
 void serverSetupSSL(Server *server, int enable, int force);
 void serverSetCertificate(Server *server, const char *filename,
-                          int autoGenerateMissing);
+                          int autoGenerateMissing, int useSNI);
 void serverSetCertificateFd(Server *server, int fd);
+void serverSetBoxCertificate(Server *server, const char *keyPassword);
 void serverSetNumericHosts(Server *server, int numericHosts);
 
 void httpTransfer(HttpConnection *http, char *msg, int len);
--- libhttp/server.c
+++ libhttp/server.c
@@ -679,7 +679,8 @@
 }
 
 void serverSetCertificate(struct Server *server, const char *filename,
-                          int autoGenerateMissing) {
+                          int autoGenerateMissing, int useSNI) {
+  server->ssl.noSNI = !useSNI;
   sslSetCertificate(&server->ssl, filename, autoGenerateMissing);
 }
 
@@ -687,6 +688,10 @@
   sslSetCertificateFd(&server->ssl, fd);
 }
 
+void serverSetBoxCertificate(struct Server *server, const char *keyPassword) {
+  sslSetBoxCertificate(&server->ssl, keyPassword);
+}
+
 void serverSetNumericHosts(struct Server *server, int numericHosts) {
   server->numericHosts = numericHosts;
 }
--- libhttp/server.h
+++ libhttp/server.h
@@ -120,8 +120,9 @@
 void serverLoop(struct Server *server);
 void serverSetupSSL(struct Server *server, int enable, int force);
 void serverSetCertificate(struct Server *server, const char *filename,
-                          int autoGenerateMissing);
+                          int autoGenerateMissing, int useSNI);
 void serverSetCertificateFd(struct Server *server, int fd);
+void serverSetBoxCertificate(struct Server *server, const char *keyPassword);
 void serverSetNumericHosts(struct Server *server, int numericHosts);
 struct Trie *serverGetHttpHandlers(struct Server *server);
 
--- libhttp/ssl.c
+++ libhttp/ssl.c
@@ -736,6 +736,21 @@
   debug("[ssl] Server context successfully initialized...");
   return context;
 }
+
+static int sslSetCertificateFromBox(SSL_CTX *context,
+                                    const char *keyPassword) {
+  int rc             = 1;
+
+  SSL_CTX_set_default_passwd_cb_userdata(context, (void *) keyPassword);
+  if (SSL_CTX_use_certificate_chain_file(context, FRITZBOX_SSL_CERTFILE) == 1) {
+    if (SSL_CTX_use_PrivateKey_file(context, FRITZBOX_SSL_KEYFILE, SSL_FILETYPE_PEM) == 1) {
+      if (SSL_CTX_check_private_key(context) == 1) {
+        rc           = 0;
+      }
+    }
+  }
+  return rc;
+}
 #endif
 
 #ifdef HAVE_TLSEXT
@@ -882,7 +897,7 @@
   // Enable SNI support so that we can set a different certificate, if the
   // client asked for it.
 #ifdef HAVE_TLSEXT
-  if (ptr != NULL) {
+  if (!ssl->noSNI && ptr != NULL) {
     check(ssl->sniCertificatePattern = strdup(filename));
     check(SSL_CTX_set_tlsext_servername_callback(ssl->sslContext,
                                                  sslSNICallback));
@@ -946,6 +961,16 @@
   ssl->generateMissing  = 0;
 #endif
 }
+
+void sslSetBoxCertificate(struct SSLSupport *ssl, const char *keyPassword) {
+#ifdef HAVE_OPENSSL
+  check(ssl->sslContext = SSL_CTX_new(SSLv23_server_method()));
+  if (sslSetCertificateFromBox(ssl->sslContext, keyPassword)) {
+    fatal("Cannot read FRITZ!Box certificate and key");
+  }
+  ssl->generateMissing  = 0;
+#endif
+}
 
 int sslEnable(struct SSLSupport *ssl, int enabled) {
   int old      = ssl->enabled;
--- libhttp/ssl.h
+++ libhttp/ssl.h
@@ -239,6 +239,7 @@
   char        *sniCertificatePattern;
   int         generateMissing;
   int         renegotiationCount;
+  int         noSNI;
   struct Trie sniContexts;
 };
 
@@ -250,6 +251,7 @@
 void sslSetCertificate(struct SSLSupport *ssl, const char *filename,
                        int autoGenerateMissing);
 void sslSetCertificateFd(struct SSLSupport *ssl, int fd);
+void sslSetBoxCertificate(struct SSLSupport *ssl, const char *keyPassword);
 int  sslEnable(struct SSLSupport *ssl, int enabled);
 int  sslForce(struct SSLSupport *ssl, int force);
 void sslBlockSigPipe();
@@ -258,4 +260,7 @@
                      const char *buf, int len);
 void sslFreeHndl(SSL **sslHndl);
 
+#define FRITZBOX_SSL_CERTFILE      "/var/flash/websrv_ssl_cert.pem"
+#define FRITZBOX_SSL_KEYFILE       "/var/flash/websrv_ssl_key.pem"
+
 #endif
--- shellinabox/shellinaboxd.c
+++ shellinabox/shellinaboxd.c
@@ -66,6 +66,8 @@
 #include <time.h>
 #include <unistd.h>
 
+#include <privatekeypassword/privatekeypassword.h>
+
 #ifdef HAVE_SYS_PRCTL_H
 #include <sys/prctl.h>
 #endif
@@ -128,6 +130,8 @@
 static const char     *pidfile;
 static sigjmp_buf     jmpenv;
 static volatile int   exiting;
+static char           *keyPassword  = NULL;
+static int            useSNI        = 1;
 
 static char *jsonEscape(const char *buf, int len) {
   static const char *hexDigit = "0123456789ABCDEF";
@@ -874,7 +878,12 @@
           !serverSupportsSSL() ? "" :
           "  -c, --cert=CERTDIR          set certificate dir "
           "(default: $PWD)\n"
-          "      --cert-fd=FD            set certificate file from fd\n",
+          "      --no-sni                disable SNI processing and use the\n"
+          "                              the default certificate only, do not\n"
+          "                              try auto-generation for unknown names\n"
+          "      --cert-fd=FD            set certificate file from fd\n"
+          "      --cert-from-box[=PSWD]  use FRITZ!Box certificate and decode\n"
+          "                              the key with the 'PSWD'\n",
           group, PORTNUM,
           !serverSupportsSSL() ? "" :
           "  -t, --disable-ssl           disable transparent SSL support\n"
@@ -944,6 +953,8 @@
       { "verbose",              0, 0, 'v' },
       { "version",              0, 0,  0  },
       { "disable-peer-check",   0, 0,  0  },
+      { "cert-from-box",        2, 0,  0  },
+      { "no-sni",               0, 0,  0  },
       { 0,                  0, 0,  0  } };
     int idx                = -1;
     int c                  = getopt_long(argc, argv, optstring, options, &idx);
@@ -1256,6 +1267,28 @@
     } else if (!idx--) {
       // disable-peer-check
       peerCheckEnabled = 0;
+    } else if (!idx--) {
+      // Use FRITZ!Box Certificate
+      if (!hasSSL) {
+        warn("Ignoring FRITZ!Box certificate, as SSL support is unavailable");
+      }
+      if (certificateDir || certificateFd >= 0) {
+        fatal("Cannot use the FRITZ!Box certificate together with a certificate directory and/or file handle");
+      }
+      if (optarg) {
+        keyPassword        = optarg;
+      } else {
+        debug("Trying to get box certificate password ...");
+        keyPassword        = (char *) getPrivateKeyPassword();
+        if (!keyPassword) fatal("Could not get the password for box certificate");
+      }
+    } else if (!idx--) {
+      // no-sni
+      if (!hasSSL) {
+        warn("Ignoring --no-sni option, as SSL support is unavailable");
+      } else {
+        useSNI             = 0;
+      }
     }
   }
   if (optind != argc) {
@@ -1347,7 +1380,9 @@
   // Enable SSL support (if available)
   if (enableSSL) {
     check(serverSupportsSSL());
-    if (certificateFd >= 0) {
+    if (keyPassword) {
+      serverSetBoxCertificate(server, keyPassword);
+    } else if (certificateFd >= 0) {
       serverSetCertificateFd(server, certificateFd);
     } else if (certificateDir) {
       char *tmp;
@@ -1355,10 +1390,10 @@
         fatal("[ssl] Invalid certificate directory name \"%s\".", certificateDir);
       }
       check(tmp = stringPrintf(NULL, "%s/certificate%%s.pem", certificateDir));
-      serverSetCertificate(server, tmp, 1);
+      serverSetCertificate(server, tmp, 1, useSNI);
       free(tmp);
     } else {
-      serverSetCertificate(server, "certificate%s.pem", 1);
+      serverSetCertificate(server, "certificate%s.pem", 1, useSNI);
     }
   }
 }