diff --git a/src/ejabberd_pkix.erl b/src/ejabberd_pkix.erl
index 7c03f1772..f9f0472f6 100644
--- a/src/ejabberd_pkix.erl
+++ b/src/ejabberd_pkix.erl
@@ -27,7 +27,7 @@
 
 %% API
 -export([start_link/0, add_certfile/1, format_error/1, opt_type/1,
-	 get_certfile/1, route_registered/1]).
+	 get_certfile/1, try_certfile/1, route_registered/1]).
 %% gen_server callbacks
 -export([init/1, handle_call/3, handle_cast/2, handle_info/2,
 	 terminate/2, code_change/3]).
@@ -56,15 +56,16 @@
 %%%===================================================================
 -spec add_certfile(filename:filename())
       -> ok | {error, cert_error() | file:posix()}.
-add_certfile(Path0) ->
-    Path = case filename:pathtype(Path0) of
-	       relative ->
-		   {ok, CWD} = file:get_cwd(),
-		   iolist_to_binary(filename:join(CWD, Path0));
-	       _ ->
-		   iolist_to_binary(Path0)
-	   end,
-    gen_server:call(?MODULE, {add_certfile, Path}).
+add_certfile(Path) ->
+    gen_server:call(?MODULE, {add_certfile, prep_path(Path)}).
+
+-spec try_certfile(filename:filename()) -> binary().
+try_certfile(Path0) ->
+    Path = prep_path(Path0),
+    case mk_cert_state(Path, false) of
+	{ok, _} -> Path;
+	{error, _} -> erlang:error(badarg)
+    end.
 
 route_registered(Route) ->
     gen_server:call(?MODULE, {route_registered, Route}).
@@ -515,6 +516,16 @@ get_cert_path(G, [Root|_] = Acc) ->
 	      end, Es)
     end.
 
+-spec prep_path(filename:filename()) -> binary().
+prep_path(Path0) ->
+    case filename:pathtype(Path0) of
+	relative ->
+	    {ok, CWD} = file:get_cwd(),
+	    iolist_to_binary(filename:join(CWD, Path0));
+	_ ->
+	    iolist_to_binary(Path0)
+    end.
+
 -ifdef(SHORT_NAME_HASH).
 short_name_hash(IssuerID) ->
     public_key:short_name_hash(IssuerID).
diff --git a/src/ejabberd_sql.erl b/src/ejabberd_sql.erl
index 7d607781c..3b252631e 100644
--- a/src/ejabberd_sql.erl
+++ b/src/ejabberd_sql.erl
@@ -1104,7 +1104,7 @@ opt_type(sql_server) -> fun iolist_to_binary/1;
 opt_type(sql_username) -> fun iolist_to_binary/1;
 opt_type(sql_ssl) -> fun(B) when is_boolean(B) -> B end;
 opt_type(sql_ssl_verify) -> fun(B) when is_boolean(B) -> B end;
-opt_type(sql_ssl_certfile) -> fun misc:try_read_file/1;
+opt_type(sql_ssl_certfile) -> fun ejabberd_pkix:try_certfile/1;
 opt_type(sql_ssl_cafile) -> fun misc:try_read_file/1;
 opt_type(sql_query_timeout) ->
     fun (I) when is_integer(I), I > 0 -> I end;
@@ -1115,6 +1115,6 @@ opt_type(sql_queue_type) ->
 opt_type(_) ->
     [sql_database, sql_keepalive_interval,
      sql_password, sql_port, sql_server,
-     sql_username, sql_ssl, sql_ssl_verify, sql_ssl_cerfile,
+     sql_username, sql_ssl, sql_ssl_verify, sql_ssl_certfile,
      sql_ssl_cafile, sql_queue_type, sql_query_timeout,
      sql_connect_timeout].
diff --git a/src/eldap.erl b/src/eldap.erl
index 3c565e71d..f47550353 100644
--- a/src/eldap.erl
+++ b/src/eldap.erl
@@ -130,7 +130,8 @@
 	 port = 389              :: inet:port_number(),
          sockmod = gen_tcp       :: ssl | gen_tcp,
          tls = none              :: none | tls,
-         tls_options = []        :: [{cacertfile, string()} |
+         tls_options = []        :: [{certfile, string()} |
+				     {cacertfile, string()} |
                                      {depth, non_neg_integer()} |
                                      {verify, non_neg_integer()}],
 	 fd                      :: gen_tcp:socket() | undefined,
@@ -577,11 +578,17 @@ init([Hosts, Port, Rootdn, Passwd, Opts]) ->
 		     end;
 		 PT -> PT
 	       end,
+    CertOpts = case proplists:get_value(tls_certfile, Opts) of
+		   undefined ->
+		       [];
+		   Path1 ->
+		       [{certfile, Path1}]
+	       end,
     CacertOpts = case proplists:get_value(tls_cacertfile, Opts) of
                      undefined ->
                          [];
-                     Path ->
-                         [{cacertfile, Path}]
+                     Path2 ->
+                         [{cacertfile, Path2}]
                  end,
     DepthOpts = case proplists:get_value(tls_depth, Opts) of
                     undefined ->
@@ -596,11 +603,11 @@ init([Hosts, Port, Rootdn, Passwd, Opts]) ->
 				  "certfiles configured, so verification "
 				  "is disabled.",
 				  []),
-		     [];
+		     CertOpts;
 		 Verify == soft ->
-		     [{verify, 1}] ++ CacertOpts ++ DepthOpts;
+		     [{verify, 1}] ++ CertOpts ++ CacertOpts ++ DepthOpts;
 		 Verify == hard ->
-		     [{verify, 2}] ++ CacertOpts ++ DepthOpts;
+		     [{verify, 2}] ++ CertOpts ++ CacertOpts ++ DepthOpts;
 		 true -> []
 	      end,
     {ok, connecting,
diff --git a/src/eldap_utils.erl b/src/eldap_utils.erl
index 1dcdf0b48..5924c8af7 100644
--- a/src/eldap_utils.erl
+++ b/src/eldap_utils.erl
@@ -177,6 +177,7 @@ get_config(Host, Opts) ->
     Backups = get_opt(ldap_backups, Host, Opts, []),
     Encrypt = get_opt(ldap_encrypt, Host, Opts, none),
     TLSVerify = get_opt(ldap_tls_verify, Host, Opts, false),
+    TLSCertFile = get_opt(ldap_tls_certfile, Host, Opts),
     TLSCAFile = get_opt(ldap_tls_cacertfile, Host, Opts),
     TLSDepth = get_opt(ldap_tls_depth, Host, Opts),
     Port = get_opt(ldap_port, Host, Opts,
@@ -203,6 +204,7 @@ get_config(Host, Opts) ->
                   backups = Backups,
                   tls_options = [{encrypt, Encrypt},
                                  {tls_verify, TLSVerify},
+				 {tls_certfile, TLSCertFile},
                                  {tls_cacertfile, TLSCAFile},
                                  {tls_depth, TLSDepth}],
                   port = Port,
@@ -339,6 +341,7 @@ collect_parts_bit([],Acc,Uacc) ->
 	      (ldap_rootdn) -> fun((binary()) -> binary());
 	      (ldap_servers) -> fun(([binary()]) -> [binary()]);
 	      (ldap_tls_certfile) -> fun((binary()) -> string());
+	      (ldap_tls_cacertfile) -> fun((binary()) -> string());
 	      (ldap_tls_depth) -> fun((non_neg_integer()) -> non_neg_integer());
 	      (ldap_tls_verify) -> fun((hard | soft | false) -> hard | soft | false);
 	      (ldap_filter) -> fun((binary()) -> binary());
@@ -366,6 +369,10 @@ opt_type(ldap_port) ->
 opt_type(ldap_rootdn) -> fun iolist_to_binary/1;
 opt_type(ldap_servers) ->
     fun (L) -> [iolist_to_binary(H) || H <- L] end;
+opt_type(ldap_tls_certfile) ->
+    fun(S) ->
+	    binary_to_list(ejabberd_pkix:try_certfile(S))
+    end;
 opt_type(ldap_tls_cacertfile) ->
     fun(S) -> binary_to_list(misc:try_read_file(S)) end;
 opt_type(ldap_tls_depth) ->
@@ -390,4 +397,5 @@ opt_type(_) ->
     [deref_aliases, ldap_backups, ldap_base, ldap_uids,
      ldap_deref_aliases, ldap_encrypt, ldap_password,
      ldap_port, ldap_rootdn, ldap_servers, ldap_filter,
-     ldap_tls_cacertfile, ldap_tls_depth, ldap_tls_verify].
+     ldap_tls_certfile, ldap_tls_cacertfile, ldap_tls_depth,
+     ldap_tls_verify].
diff --git a/src/mod_shared_roster_ldap.erl b/src/mod_shared_roster_ldap.erl
index 30cd44568..66cbebd93 100644
--- a/src/mod_shared_roster_ldap.erl
+++ b/src/mod_shared_roster_ldap.erl
@@ -583,7 +583,7 @@ mod_opt_type(ldap_servers) ->
 mod_opt_type(ldap_tls_cacertfile) ->
     fun misc:try_read_file/1;
 mod_opt_type(ldap_tls_certfile) ->
-    fun misc:try_read_file/1;
+    fun ejabberd_pkix:try_certfile/1;
 mod_opt_type(ldap_tls_depth) ->
     fun (I) when is_integer(I), I >= 0 -> I end;
 mod_opt_type(ldap_tls_verify) ->
diff --git a/src/mod_vcard_ldap.erl b/src/mod_vcard_ldap.erl
index 6a690779a..f1f076468 100644
--- a/src/mod_vcard_ldap.erl
+++ b/src/mod_vcard_ldap.erl
@@ -469,7 +469,7 @@ mod_opt_type(ldap_servers) ->
 mod_opt_type(ldap_tls_cacertfile) ->
     fun misc:try_read_file/1;
 mod_opt_type(ldap_tls_certfile) ->
-    fun misc:try_read_file/1;
+    fun ejabberd_pkix:try_certfile/1;
 mod_opt_type(ldap_tls_depth) ->
     fun (I) when is_integer(I), I >= 0 -> I end;
 mod_opt_type(ldap_tls_verify) ->