diff --git a/main.go b/main.go
index 2059da5..acd0484 100644
--- a/main.go
+++ b/main.go
@@ -155,12 +155,11 @@ func run() int {
 
 	mainLogger.Info("Starting proxy server...")
 	if args.cert != "" {
-		cfg, err1 := makeServerTLSConfig(args.cert, args.key, args.cafile)
+		cfg, err1 := makeServerTLSConfig(args.cert, args.key, args.cafile, args.ciphers)
 		if err1 != nil {
 			mainLogger.Critical("TLS config construction failed: %v", err1)
 			return 3
 		}
-		cfg.CipherSuites = makeCipherList(args.ciphers)
 		server.TLSConfig = cfg
 		err = server.ListenAndServeTLS("", "")
 	} else if args.autocert {
@@ -180,7 +179,11 @@ func run() int {
 			}()
 		}
 		cfg := m.TLSConfig()
-		cfg.CipherSuites = makeCipherList(args.ciphers)
+		cfg, err = updateServerTLSConfig(cfg, args.cafile, args.ciphers)
+		if err != nil {
+			mainLogger.Critical("TLS config construction failed: %v", err)
+			return 3
+		}
 		server.TLSConfig = cfg
 		err = server.ListenAndServeTLS("", "")
 	} else {
diff --git a/utils.go b/utils.go
index a692361..3308372 100644
--- a/utils.go
+++ b/utils.go
@@ -149,7 +149,7 @@ func copyBody(wr io.Writer, body io.Reader) {
 	}
 }
 
-func makeServerTLSConfig(certfile, keyfile, cafile string) (*tls.Config, error) {
+func makeServerTLSConfig(certfile, keyfile, cafile, ciphers string) (*tls.Config, error) {
 	var cfg tls.Config
 	cert, err := tls.LoadX509KeyPair(certfile, keyfile)
 	if err != nil {
@@ -168,9 +168,27 @@ func makeServerTLSConfig(certfile, keyfile, cafile string) (*tls.Config, error)
 		cfg.ClientCAs = roots
 		cfg.ClientAuth = tls.VerifyClientCertIfGiven
 	}
+	cfg.CipherSuites = makeCipherList(ciphers)
 	return &cfg, nil
 }
 
+func updateServerTLSConfig(cfg *tls.Config, cafile, ciphers string) (*tls.Config, error) {
+	if cafile != "" {
+		roots := x509.NewCertPool()
+		certs, err := ioutil.ReadFile(cafile)
+		if err != nil {
+			return nil, err
+		}
+		if ok := roots.AppendCertsFromPEM(certs); !ok {
+			return nil, errors.New("Failed to load CA certificates")
+		}
+		cfg.ClientCAs = roots
+		cfg.ClientAuth = tls.VerifyClientCertIfGiven
+	}
+	cfg.CipherSuites = makeCipherList(ciphers)
+	return cfg, nil
+}
+
 func makeCipherList(ciphers string) []uint16 {
 	if ciphers == "" {
 		return nil