diff --git a/command/server/listener.go b/command/server/listener.go
index 7948bda988..fd5fecbc71 100644
--- a/command/server/listener.go
+++ b/command/server/listener.go
@@ -75,7 +75,7 @@ func listenerWrapTLS(
 
 	tlsConf := &tls.Config{}
 	tlsConf.GetCertificate = cg.getCertificate
-	tlsConf.NextProtos = []string{"http/1.1"}
+	tlsConf.NextProtos = []string{"h2", "http/1.1"}
 	tlsConf.MinVersion, ok = tlsutil.TLSLookup[tlsvers]
 	if !ok {
 		return nil, nil, nil, fmt.Errorf("'tls_min_version' value %s not supported, please specify one of [tls10,tls11,tls12]", tlsvers)
diff --git a/helper/certutil/helpers.go b/helper/certutil/helpers.go
index 816d7cfd83..d7408e449a 100644
--- a/helper/certutil/helpers.go
+++ b/helper/certutil/helpers.go
@@ -109,6 +109,8 @@ func ParsePEMBundle(pemBundle string) (*ParsedCertBundle, error) {
 		return nil, UserError{"empty pem bundle"}
 	}
 
+	pemBundle = strings.TrimSpace(pemBundle)
+
 	pemBytes := []byte(pemBundle)
 	var pemBlock *pem.Block
 	parsedBundle := &ParsedCertBundle{}
diff --git a/helper/certutil/types.go b/helper/certutil/types.go
index 6767a8d241..203e09b508 100644
--- a/helper/certutil/types.go
+++ b/helper/certutil/types.go
@@ -437,7 +437,7 @@ func (p *ParsedCertBundle) GetTLSConfig(usage TLSUsage) (*tls.Config, error) {
 	}
 
 	tlsConfig := &tls.Config{
-		NextProtos: []string{"http/1.1"},
+		NextProtos: []string{"h2", "http/1.1"},
 		MinVersion: tls.VersionTLS12,
 	}