diff --git a/config/tls.go b/config/tls.go
index 198885c..19428f9 100644
--- a/config/tls.go
+++ b/config/tls.go
@@ -8,21 +8,27 @@ import (
 )
 
 func TLS(certPath string, keyPath string, clientCAPath string) (*tls.Config, error) {
-	tlsConfig := &tls.Config{}
+	var tlsConfig *tls.Config
 
 	if certPath != "" && keyPath != "" {
 		cert, err := tls.LoadX509KeyPair(certPath, keyPath)
 		if err != nil {
-			return nil, fmt.Errorf("error: unable load key pair: %s", err)
+			return nil, fmt.Errorf("unable load key pair: %s", err)
 		}
 
-		tlsConfig.Certificates = []tls.Certificate{cert}
+		tlsConfig = &tls.Config{
+			Certificates: []tls.Certificate{cert},
+		}
 	}
 
 	if clientCAPath != "" {
+		if tlsConfig == nil {
+			return nil, fmt.Errorf("cannot check client certificate without a server certificate and key")
+		}
+
 		data, err := ioutil.ReadFile(clientCAPath)
 		if err != nil {
-			return nil, fmt.Errorf("error: unable read CA file: %s", err)
+			return nil, fmt.Errorf("unable read CA file: %s", err)
 		}
 
 		pool := x509.NewCertPool()