diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc
index 6afcc47b..fc3cdce8 100644
--- a/src/shrpx_config.cc
+++ b/src/shrpx_config.cc
@@ -1816,7 +1816,7 @@ int parse_config(const char *opt, const char *optarg,
 
     return 0;
   case SHRPX_OPTID_CACERT:
-    mod_config()->tls.cacert = strcopy(optarg);
+    mod_config()->tls.cacert = optarg;
 
     return 0;
   case SHRPX_OPTID_BACKEND_IPV4:
diff --git a/src/shrpx_config.h b/src/shrpx_config.h
index d290a37a..8326cbf3 100644
--- a/src/shrpx_config.h
+++ b/src/shrpx_config.h
@@ -431,7 +431,7 @@ struct TLSConfig {
   std::unique_ptr<char[]> cert_file;
   std::unique_ptr<char[]> dh_param_file;
   std::unique_ptr<char[]> ciphers;
-  std::unique_ptr<char[]> cacert;
+  ImmutableString cacert;
   bool insecure;
   bool no_http2_cipher_black_list;
 };
diff --git a/src/shrpx_connection_handler.cc b/src/shrpx_connection_handler.cc
index 8dea4f38..008f1289 100644
--- a/src/shrpx_connection_handler.cc
+++ b/src/shrpx_connection_handler.cc
@@ -202,9 +202,8 @@ int ConnectionHandler::create_single_worker() {
 #ifdef HAVE_NEVERBLEED
         nb_.get(),
 #endif // HAVE_NEVERBLEED
-        StringRef::from_maybe_nullptr(tlsconf.cacert.get()),
-        StringRef(memcachedconf.cert_file),
-        StringRef(memcachedconf.private_key_file), StringRef(), nullptr);
+        StringRef{tlsconf.cacert}, StringRef{memcachedconf.cert_file},
+        StringRef{memcachedconf.private_key_file}, StringRef(), nullptr);
     all_ssl_ctx_.push_back(session_cache_ssl_ctx);
   }
 
@@ -253,9 +252,8 @@ int ConnectionHandler::create_worker_thread(size_t num) {
 #ifdef HAVE_NEVERBLEED
           nb_.get(),
 #endif // HAVE_NEVERBLEED
-          StringRef::from_maybe_nullptr(tlsconf.cacert.get()),
-          StringRef(memcachedconf.cert_file),
-          StringRef(memcachedconf.private_key_file), StringRef(), nullptr);
+          StringRef{tlsconf.cacert}, StringRef{memcachedconf.cert_file},
+          StringRef{memcachedconf.private_key_file}, StringRef{}, nullptr);
       all_ssl_ctx_.push_back(session_cache_ssl_ctx);
     }
     auto worker =
@@ -768,9 +766,8 @@ SSL_CTX *ConnectionHandler::create_tls_ticket_key_memcached_ssl_ctx() {
 #ifdef HAVE_NEVERBLEED
       nb_.get(),
 #endif // HAVE_NEVERBLEED
-      StringRef::from_maybe_nullptr(tlsconf.cacert.get()),
-      StringRef(memcachedconf.cert_file),
-      StringRef(memcachedconf.private_key_file), StringRef(), nullptr);
+      StringRef{tlsconf.cacert}, StringRef{memcachedconf.cert_file},
+      StringRef{memcachedconf.private_key_file}, StringRef{}, nullptr);
 
   all_ssl_ctx_.push_back(ssl_ctx);
 
diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc
index afbcbb15..bfba5a57 100644
--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@@ -1323,7 +1323,7 @@ SSL_CTX *setup_downstream_client_ssl_context(
 #ifdef HAVE_NEVERBLEED
       nb,
 #endif // HAVE_NEVERBLEED
-      StringRef::from_maybe_nullptr(tlsconf.cacert.get()),
+      StringRef{tlsconf.cacert},
       StringRef::from_maybe_nullptr(tlsconf.client.cert_file.get()),
       StringRef::from_maybe_nullptr(tlsconf.client.private_key_file.get()),
       alpn, next_proto_select_cb);