diff --git a/libpathod/pathod.py b/libpathod/pathod.py
index 2feb69967..0e3cca593 100644
--- a/libpathod/pathod.py
+++ b/libpathod/pathod.py
@@ -14,19 +14,19 @@ class PathodError(Exception): pass
 
 
 class SSLOptions:
-    def __init__(self, confdir=CONFDIR, cn=None, certfile=None, cacert=None,
+    def __init__(self, confdir=CONFDIR, cn=None, certfile=None, keyfile=None,
                        not_after_connect=None, request_client_cert=False, 
                        sslversion=tcp.SSLv23_METHOD, ciphers=None):
         self.confdir = confdir
         self.cn = cn
-        if cacert:
-            self.cacert = os.path.expanduser(cacert)
+        if keyfile:
+            self.keyfile = os.path.expanduser(keyfile)
         else:
-            cacert = os.path.join(confdir, CA_CERT_NAME)
-            self.cacert = os.path.expanduser(cacert)
-            if not os.path.exists(self.cacert):
-                certutils.dummy_ca(self.cacert)
-        self.certstore = certutils.CertStore(self.cacert)
+            keyfile = os.path.join(confdir, CA_CERT_NAME)
+            self.keyfile = os.path.expanduser(keyfile)
+            if not os.path.exists(self.keyfile):
+                certutils.dummy_ca(self.keyfile)
+        self.certstore = certutils.CertStore(self.keyfile)
         self.certfile = certfile 
         self.not_after_connect = not_after_connect
         self.request_client_cert = request_client_cert
@@ -104,7 +104,7 @@ class PathodHandler(tcp.BaseHandler):
                 try:
                     self.convert_to_ssl(
                         self.server.ssloptions.get_cert(None),
-                        self.server.ssloptions.cacert,
+                        self.server.ssloptions.keyfile,
                         handle_sni = self.handle_sni,
                         request_client_cert = self.server.ssloptions.request_client_cert,
                         cipher_list = self.server.ssloptions.ciphers,
@@ -212,7 +212,7 @@ class PathodHandler(tcp.BaseHandler):
             try:
                 self.convert_to_ssl(
                     self.server.ssloptions.get_cert(None),
-                    self.server.ssloptions.cacert,
+                    self.server.ssloptions.keyfile,
                     handle_sni = self.handle_sni,
                     request_client_cert = self.server.ssloptions.request_client_cert,
                     cipher_list = self.server.ssloptions.ciphers,
diff --git a/pathod b/pathod
index 5b82f97e3..d150eac0d 100755
--- a/pathod
+++ b/pathod
@@ -35,6 +35,7 @@ def main(parser, args):
         cn = args.cn,
         confdir = args.confdir,
         certfile = args.ssl_certfile,
+        keyfile = args.ssl_keyfile or args.ssl_certfile,
         not_after_connect = args.ssl_not_after_connect,
         ciphers = args.ciphers,
         sslversion = utils.SSLVERSIONS[args.sslversion]
@@ -174,7 +175,11 @@ if __name__ == "__main__":
     )
     group.add_argument(
         "--certfile", dest='ssl_certfile', default=None, type=str,
-        help='SSL cert file. If not specified, a default cert is used.'
+        help='SSL certificate in PEM format, optionally with the key in the same file.'
+    )
+    group.add_argument(
+        "--keyfile", dest='ssl_keyfile', default=None, type=str,
+        help='Key matching certfile.'
     )
     group.add_argument(
         "--ciphers", dest="ciphers", type=str, default=False,
diff --git a/test/test_pathod.py b/test/test_pathod.py
index 56ffd302a..c98e14088 100644
--- a/test/test_pathod.py
+++ b/test/test_pathod.py
@@ -67,7 +67,7 @@ class TestCustomCert(tutils.DaemonTests):
     ssl = True
     ssloptions = dict(
         certfile = tutils.test_data.path("data/testkey.pem"),
-        cacert = tutils.test_data.path("data/testkey.pem"),
+        keyfile = tutils.test_data.path("data/testkey.pem"),
     )
     def test_connect(self):
         r = self.pathoc(r"get:/p/202")