diff --git a/Source/MQTTnet.Server/Configuration/CertificateSettingsModel.cs b/Source/MQTTnet.Server/Configuration/CertificateSettingsModel.cs
new file mode 100644
index 0000000..89eb48b
--- /dev/null
+++ b/Source/MQTTnet.Server/Configuration/CertificateSettingsModel.cs
@@ -0,0 +1,35 @@
+using System.IO;
+
+namespace MQTTnet.Server.Configuration
+{
+    public class CertificateSettingsModel
+    {
+        /// <summary>
+        /// Path to certificate.
+        /// </summary>
+        public string Path { get; set; }
+        
+        /// <summary>
+        /// Password of certificate.
+        /// </summary>
+        public string Password { get; set; }
+
+        /// <summary>
+        /// Read certificate file.
+        /// </summary>
+        public byte[] ReadCertificate()
+        {
+            if (string.IsNullOrEmpty(Path) || string.IsNullOrWhiteSpace(Path))
+            {
+                throw new FileNotFoundException("No path set");
+            }
+
+            if (!File.Exists(Path))
+            {
+                throw new FileNotFoundException($"Could not find Certificate in path: {Path}");
+            }
+
+            return File.ReadAllBytes(Path);
+        }
+    }
+}
diff --git a/Source/MQTTnet.Server/Configuration/TcpEndpointModel.cs b/Source/MQTTnet.Server/Configuration/TcpEndpointModel.cs
index 8221390..8693268 100644
--- a/Source/MQTTnet.Server/Configuration/TcpEndpointModel.cs
+++ b/Source/MQTTnet.Server/Configuration/TcpEndpointModel.cs
@@ -9,9 +9,9 @@ namespace MQTTnet.Server.Configuration
     public class TcpEndPointModel
     {
         /// <summary>
-        /// Path to Certificate
+        /// Certificate settings.
         /// </summary>
-        public string CertificatePath { get; set; }
+        public CertificateSettingsModel Certificate { get; set; }
 
         /// <summary>
         /// Enabled / Disable
@@ -33,25 +33,6 @@ namespace MQTTnet.Server.Configuration
         /// </summary>
         public int Port { get; set; } = 1883;
 
-        /// <summary>
-        /// Read Certificate file
-        /// </summary>
-        /// <returns></returns>
-        public byte[] ReadCertificate()
-        {
-            if (string.IsNullOrEmpty(CertificatePath) || string.IsNullOrWhiteSpace(CertificatePath))
-            {
-                throw new FileNotFoundException("No path set");
-            }
-
-            if (!File.Exists(CertificatePath))
-            {
-                throw new FileNotFoundException($"Could not find Certificate in path: {CertificatePath}");
-            }
-
-            return File.ReadAllBytes(CertificatePath);
-        }
-
         /// <summary>
         /// Read IPv4
         /// </summary>
diff --git a/Source/MQTTnet.Server/Mqtt/MqttServerService.cs b/Source/MQTTnet.Server/Mqtt/MqttServerService.cs
index efb0010..b8c463f 100644
--- a/Source/MQTTnet.Server/Mqtt/MqttServerService.cs
+++ b/Source/MQTTnet.Server/Mqtt/MqttServerService.cs
@@ -47,7 +47,7 @@ namespace MQTTnet.Server.Mqtt
             MqttSubscriptionInterceptor mqttSubscriptionInterceptor,
             MqttApplicationMessageInterceptor mqttApplicationMessageInterceptor,
             MqttServerStorage mqttServerStorage,
-            PythonScriptHostService pythonScriptHostService,            
+            PythonScriptHostService pythonScriptHostService,
             ILogger<MqttServerService> logger)
         {
             _settings = mqttSettings ?? throw new ArgumentNullException(nameof(mqttSettings));
@@ -179,7 +179,7 @@ namespace MQTTnet.Server.Mqtt
                 .WithApplicationMessageInterceptor(_mqttApplicationMessageInterceptor)
                 .WithSubscriptionInterceptor(_mqttSubscriptionInterceptor)
                 .WithStorage(_mqttServerStorage);
-            
+
             // Configure unencrypted connections
             if (_settings.TcpEndPoint.Enabled)
             {
@@ -210,9 +210,23 @@ namespace MQTTnet.Server.Mqtt
             {
                 options
                     .WithEncryptedEndpoint()
-                    .WithEncryptionSslProtocol(SslProtocols.Tls12)
-                    .WithEncryptionCertificate(_settings.EncryptedTcpEndPoint.ReadCertificate());
+                    .WithEncryptionSslProtocol(SslProtocols.Tls12);
+                
+                if (!string.IsNullOrEmpty(_settings.EncryptedTcpEndPoint?.Certificate?.Path))
+                {
+                    IMqttServerCertificateCredentials certificateCredentials = null;
 
+                    if (!string.IsNullOrEmpty(_settings.EncryptedTcpEndPoint?.Certificate?.Password))
+                    {
+                        certificateCredentials = new MqttServerCertificateCredentials
+                        {
+                            Password = _settings.EncryptedTcpEndPoint.Certificate.Password
+                        };
+                    }
+
+                    options.WithEncryptionCertificate(_settings.EncryptedTcpEndPoint.Certificate.ReadCertificate(), certificateCredentials);
+                }
+                
                 if (_settings.EncryptedTcpEndPoint.TryReadIPv4(out var address4))
                 {
                     options.WithEncryptedEndpointBoundIPAddress(address4);
diff --git a/Source/MQTTnet.Server/appsettings.json b/Source/MQTTnet.Server/appsettings.json
index 8ea10d6..71eaf20 100644
--- a/Source/MQTTnet.Server/appsettings.json
+++ b/Source/MQTTnet.Server/appsettings.json
@@ -27,7 +27,10 @@
             "IPv4": "*",
             "IPv6": "*",
             "Port": 8883,
-            "CertificatePath": "/absolute/path/to/pfx"
+            "Certificate": {
+                "Path": "/absolute/path/to/pfx",
+                "Password": ""
+            }
         },
         "WebSocketEndPoint": {
             "Enabled": true,
@@ -63,4 +66,4 @@
         }
     },
     "AllowedHosts": "*"
-}
+}
\ No newline at end of file