diff --git a/src/shrpx.cc b/src/shrpx.cc
index 369c1a78..17adf31d 100644
--- a/src/shrpx.cc
+++ b/src/shrpx.cc
@@ -2085,7 +2085,7 @@ void process_options(
   }
 
   if (!upstreamconf.no_tls &&
-      (tlsconf.private_key_file.empty() || !tlsconf.cert_file)) {
+      (tlsconf.private_key_file.empty() || tlsconf.cert_file.empty())) {
     print_usage(std::cerr);
     LOG(FATAL) << "Too few arguments";
     exit(EXIT_FAILURE);
diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc
index 10d9d97b..12e01978 100644
--- a/src/shrpx_config.cc
+++ b/src/shrpx_config.cc
@@ -1759,7 +1759,7 @@ int parse_config(const char *opt, const char *optarg,
     return 0;
   }
   case SHRPX_OPTID_CERTIFICATE_FILE:
-    mod_config()->tls.cert_file = strcopy(optarg);
+    mod_config()->tls.cert_file = optarg;
 
     return 0;
   case SHRPX_OPTID_DH_PARAM_FILE:
@@ -1915,7 +1915,7 @@ int parse_config(const char *opt, const char *optarg,
 
     return 0;
   case SHRPX_OPTID_CLIENT_CERT_FILE:
-    mod_config()->tls.client.cert_file = strcopy(optarg);
+    mod_config()->tls.client.cert_file = optarg;
 
     return 0;
   case SHRPX_OPTID_FRONTEND_HTTP2_DUMP_REQUEST_HEADER:
diff --git a/src/shrpx_config.h b/src/shrpx_config.h
index 4b6b514d..52f12ca1 100644
--- a/src/shrpx_config.h
+++ b/src/shrpx_config.h
@@ -409,7 +409,7 @@ struct TLSConfig {
   // Client private key and certificate used in backend connections.
   struct {
     ImmutableString private_key_file;
-    std::unique_ptr<char[]> cert_file;
+    ImmutableString cert_file;
   } client;
 
   // The list of (private key file, certificate file) pair
@@ -428,7 +428,7 @@ struct TLSConfig {
   std::chrono::seconds session_timeout;
   ImmutableString private_key_file;
   std::unique_ptr<char[]> private_key_passwd;
-  std::unique_ptr<char[]> cert_file;
+  ImmutableString cert_file;
   std::unique_ptr<char[]> dh_param_file;
   std::unique_ptr<char[]> ciphers;
   ImmutableString cacert;
diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc
index c5e8b79f..adb80e47 100644
--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@@ -1246,7 +1246,7 @@ SSL_CTX *setup_server_ssl_context(std::vector<SSL_CTX *> &all_ssl_ctx,
   auto &tlsconf = get_config()->tls;
 
   auto ssl_ctx = ssl::create_ssl_context(tlsconf.private_key_file.c_str(),
-                                         tlsconf.cert_file.get()
+                                         tlsconf.cert_file.c_str()
 #ifdef HAVE_NEVERBLEED
                                              ,
                                          nb
@@ -1281,8 +1281,8 @@ SSL_CTX *setup_server_ssl_context(std::vector<SSL_CTX *> &all_ssl_ctx,
     }
   }
 
-  if (ssl::cert_lookup_tree_add_cert_from_file(cert_tree, ssl_ctx,
-                                               tlsconf.cert_file.get()) == -1) {
+  if (ssl::cert_lookup_tree_add_cert_from_file(
+          cert_tree, ssl_ctx, tlsconf.cert_file.c_str()) == -1) {
     LOG(FATAL) << "Failed to add default certificate.";
     DIE();
   }
@@ -1323,8 +1323,7 @@ SSL_CTX *setup_downstream_client_ssl_context(
 #ifdef HAVE_NEVERBLEED
       nb,
 #endif // HAVE_NEVERBLEED
-      StringRef{tlsconf.cacert},
-      StringRef::from_maybe_nullptr(tlsconf.client.cert_file.get()),
+      StringRef{tlsconf.cacert}, StringRef{tlsconf.client.cert_file},
       StringRef{tlsconf.client.private_key_file}, alpn, next_proto_select_cb);
 }