diff --git a/warden3/contrib/warden_ra/warden_ra.py b/warden3/contrib/warden_ra/warden_ra.py
index 24a7f838cf92bba130e82123f319f46268bf997a..f9e26c9828a0bdbfb8b83703e28bb4fc040ba9bb 100755
--- a/warden3/contrib/warden_ra/warden_ra.py
+++ b/warden3/contrib/warden_ra/warden_ra.py
@@ -329,17 +329,17 @@ class CertHandler(ObjectBase):
         if self.req.client == "cert":
             # Correctly authenticated by cert, most probably not preactivated with password,
             # so generate oneshot password and allow now
-            password = "".join((random.choice(string.ascii_letters + string.digits) for dummy in range(16)))
+            password = ["".join((random.choice(string.ascii_letters + string.digits) for dummy in range(16)))]
             self.log.debug("Authorized by X509, enabling cert generation with password %s" % password)
             try:
-                client.update(status="Issuable", pwd=password)
+                client.update(status="Issuable", pwd=password[0])
                 self.registry.save_client(client)
             except ClientDisabledError as e:
                 raise self.req.error(message="Error enabling cert generation", error=403, exc=sys.exc_info())
         if not password:
             raise self.req.error(message="Missing password and certificate validation failed", error=403, name=name, password=password)
         try:
-            newcert = self.registry.new_cert(client, csr_data, password)
+            newcert = self.registry.new_cert(client, csr_data, password[0])
         except Exception as e:
             raise self.req.error(message="Processing error", error=403, exc=sys.exc_info())
         self.log.info("Generated.")