diff --git a/cmd/cashierd/main.go b/cmd/cashierd/main.go
index 88f190e44f2f8e4c48772f274406658b02bc0100..563f4fd01d7bb5ec732897c30d96074ae872618f 100644
--- a/cmd/cashierd/main.go
+++ b/cmd/cashierd/main.go
@@ -17,6 +17,7 @@ import (
 	"strconv"
 	"strings"
 
+	"go4.org/wkfs"
 	"golang.org/x/oauth2"
 
 	"github.com/gorilla/csrf"
@@ -312,6 +313,18 @@ func certStore(config string) (store.CertStorer, error) {
 	return cstore, err
 }
 
+func loadCerts(certFile, keyFile string) (tls.Certificate, error) {
+	key, err := wkfs.ReadFile(keyFile)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+	cert, err := wkfs.ReadFile(certFile)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+	return tls.X509KeyPair(cert, key)
+}
+
 func main() {
 	// Privileged section
 	flag.Parse()
@@ -343,7 +356,7 @@ func main() {
 	tlsConfig := &tls.Config{}
 	if config.Server.UseTLS {
 		tlsConfig.Certificates = make([]tls.Certificate, 1)
-		tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(config.Server.TLSCert, config.Server.TLSKey)
+		tlsConfig.Certificates[0], err = loadCerts(config.Server.TLSCert, config.Server.TLSKey)
 		if err != nil {
 			log.Fatal(err)
 		}