diff --git a/doc/Changelog b/doc/Changelog
index e46e7aad6..d37a7ac69 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -2,7 +2,7 @@
 	- Fix that libunbound can do DNS-over-TLS, when configured.
 	- Fix that windows unbound service can use DNS-over-TLS.
 	- unbound-host initializes ssl (for potential DNS-over-TLS usage
-	  inside libunbound).
+	  inside libunbound), when ssl upstream or a cert-bundle is configured.
 
 23 May 2018: Wouter
 	- Use accept4 to speed up incoming TCP (and TLS) connections,
diff --git a/libunbound/libworker.c b/libunbound/libworker.c
index 84ac6aed6..4aa9656af 100644
--- a/libunbound/libworker.c
+++ b/libunbound/libworker.c
@@ -158,12 +158,14 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
 		hints_delete(w->env->hints);
 		w->env->hints = NULL;
 	}
-	w->sslctx = connect_sslctx_create(NULL, NULL,
-		cfg->tls_cert_bundle);
-	if(!w->sslctx) {
-		/* to make the setup fail after unlock */
-		hints_delete(w->env->hints);
-		w->env->hints = NULL;
+	if(cfg->ssl_upstream || (cfg->tls_cert_bundle && cfg->tls_cert_bundle[0])) {
+		w->sslctx = connect_sslctx_create(NULL, NULL,
+			cfg->tls_cert_bundle);
+		if(!w->sslctx) {
+			/* to make the setup fail after unlock */
+			hints_delete(w->env->hints);
+			w->env->hints = NULL;
+		}
 	}
 	if(!w->is_bg || w->is_bg_thread) {
 		lock_basic_unlock(&ctx->cfglock);