diff --git a/docs/RELEASE-NOTES.rst b/docs/RELEASE-NOTES.rst
index f5340e90a..2ce6e760f 100644
--- a/docs/RELEASE-NOTES.rst
+++ b/docs/RELEASE-NOTES.rst
@@ -12,6 +12,7 @@ Added Functionality
 
 Bug Fixes
 ````````````
+* `Issue 3679 <https://github.com/F5Networks/k8s-bigip-ctlr/issues/3679>`_: Certificate, CA chain, and private key shown in debug logs
 
 2.19.0
 -------------
diff --git a/pkg/agent/as3/postManager.go b/pkg/agent/as3/postManager.go
index da78c60bb..eeb9dbb84 100644
--- a/pkg/agent/as3/postManager.go
+++ b/pkg/agent/as3/postManager.go
@@ -401,8 +401,13 @@ func (postMgr *PostManager) getBigipRegKeyURL() string {
 }
 
 func (postMgr *PostManager) logAS3Response(responseMap map[string]interface{}) {
+	// Avoid modifying the original response
+	responseMapCopy := make(map[string]interface{})
+	for key, value := range responseMap {
+		responseMapCopy[key] = value
+	}
 	// removing the certificates/privateKey from response log
-	if declaration, ok := (responseMap["declaration"]).([]interface{}); ok {
+	if declaration, ok := (responseMapCopy["declaration"]).(map[string]interface{}); ok {
 		for _, value := range declaration {
 			if tenantMap, ok := value.(map[string]interface{}); ok {
 				for _, value2 := range tenantMap {
@@ -425,9 +430,9 @@ func (postMgr *PostManager) logAS3Response(responseMap map[string]interface{}) {
 			log.Errorf("[AS3] error while reading declaration from AS3 response: %v\n", err)
 			return
 		}
-		responseMap["declaration"] = as3Declaration(decl)
+		responseMapCopy["declaration"] = as3Declaration(decl)
 	}
-	log.Debugf("[AS3] Raw response from Big-IP: %v ", responseMap)
+	log.Debugf("[AS3] Raw response from Big-IP: %v ", responseMapCopy)
 }
 
 func (postMgr *PostManager) logAS3Request(cfg string) {
diff --git a/pkg/controller/postManager.go b/pkg/controller/postManager.go
index 8a2c6f084..8dd067f59 100644
--- a/pkg/controller/postManager.go
+++ b/pkg/controller/postManager.go
@@ -637,8 +637,13 @@ func (postMgr *PostManager) getBigipRegKeyURL() string {
 }
 
 func (postMgr *PostManager) logAS3Response(responseMap map[string]interface{}) {
+	// Avoid modifying the original response
+	responseMapCopy := make(map[string]interface{})
+	for key, value := range responseMap {
+		responseMapCopy[key] = value
+	}
 	// removing the certificates/privateKey from response log
-	if declaration, ok := (responseMap["declaration"]).([]interface{}); ok {
+	if declaration, ok := (responseMapCopy["declaration"]).(map[string]interface{}); ok {
 		for _, value := range declaration {
 			if tenantMap, ok := value.(map[string]interface{}); ok {
 				for _, value2 := range tenantMap {
@@ -661,9 +666,9 @@ func (postMgr *PostManager) logAS3Response(responseMap map[string]interface{}) {
 			log.Errorf("[AS3]%v error while reading declaration from AS3 response: %v\n", postMgr.postManagerPrefix, err)
 			return
 		}
-		responseMap["declaration"] = as3Declaration(decl)
+		responseMapCopy["declaration"] = as3Declaration(decl)
 	}
-	log.Debugf("[AS3]%v Raw response from Big-IP: %v ", postMgr.postManagerPrefix, responseMap)
+	log.Debugf("[AS3]%v Raw response from Big-IP: %v ", postMgr.postManagerPrefix, responseMapCopy)
 }
 
 func (postMgr *PostManager) logAS3Request(cfg string) {