diff --git a/src/api.rs b/src/api.rs
index f0242db..7269dec 100644
--- a/src/api.rs
+++ b/src/api.rs
@@ -267,8 +267,17 @@ async fn put_cert_update(
     }): State<ApiState>,
     CertificateBody(cert): CertificateBody,
 ) -> ApiResult<String> {
-    cert.validate(&[ca.fingerprint(Default::default())])
-        .map_err(|_| ApiError::CertificateInvalid)?;
+    let cert = {
+        let ca = ca.clone();
+        tokio::task::spawn_blocking(move || -> ApiResult<Certificate> {
+            let cert = cert;
+            cert.validate(&[ca.fingerprint(Default::default())])
+                .map_err(|_| ApiError::CertificateInvalid)?;
+            Ok(cert)
+        })
+        .await
+        .context("signature verification")??
+    };
     let prev = load_cert_by_id(&cert_dir, &ca, cert.key_id()).await?;
     let mut prev_serial = 0;
     let serial = cert.serial();