diff --git a/synapse/config/tls.py b/synapse/config/tls.py
index 956b440f7..20d55d4d6 100644
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@@ -109,7 +109,7 @@ class TlsConfig(Config):
         # fingerprints of a new certificate and wait for the caches on other
         # servers to expire before deploying it.
         tls_fingerprints: []
-        #- {"sha256": "<base64_encoded_sha256_fingerprint>"}
+        # tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
         """ % locals()
 
     def read_tls_certificate(self, cert_path):
diff --git a/synapse/rest/key/v2/local_key_resource.py b/synapse/rest/key/v2/local_key_resource.py
index 1cf69f3ed..ff95269ba 100644
--- a/synapse/rest/key/v2/local_key_resource.py
+++ b/synapse/rest/key/v2/local_key_resource.py
@@ -46,9 +46,12 @@ class LocalKey(Resource):
                     "expired_ts": # integer posix timestamp when the key expired.
                     "key": # base64 encoded NACL verification key.
                 }
-            }
-            "tls_fingerprints": # Fingerprints of the TLS certs this server uses.
-                - {"sha256": "..."}
+            },
+            "tls_fingerprints": [ # Fingerprints of the TLS certs this server uses.
+                {
+                    "sha256": # base64 encoded sha256 fingerprint of the X509 cert
+                },
+            ],
             "signatures": {
                 "this.server.example.com": {
                    "algorithm:version": # NACL signature for this server