diff --git a/Cargo.lock b/Cargo.lock
index 82b39dd7..9df3da5d 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -4684,6 +4684,7 @@ dependencies = [
  "serde_json",
  "serde_urlencoded",
  "tokio",
+ "tokio-rustls 0.22.0",
  "tokio-stream",
  "tokio-tungstenite",
  "tokio-util 0.6.9",
diff --git a/chirpstack/Cargo.toml b/chirpstack/Cargo.toml
index fb939142..05353acc 100644
--- a/chirpstack/Cargo.toml
+++ b/chirpstack/Cargo.toml
@@ -67,7 +67,7 @@ prost = "0.10"
 pbjson-types = "0.3"
 
 # gRPC and HTTP multiplexing
-warp = { version = "0.3" }
+warp = { version = "0.3", features = ["tls"] }
 hyper = "0.14"
 tower = "0.4"
 futures = "0.3"
diff --git a/chirpstack/src/api/backend/mod.rs b/chirpstack/src/api/backend/mod.rs
index 6dd2ec38..53183e52 100644
--- a/chirpstack/src/api/backend/mod.rs
+++ b/chirpstack/src/api/backend/mod.rs
@@ -38,7 +38,24 @@ pub async fn setup() -> Result<()> {
         .and(warp::body::aggregate())
         .then(handle_request);
 
-    warp::serve(routes).run(addr).await;
+    if !conf.backend_interfaces.ca_cert.is_empty()
+        || !conf.backend_interfaces.tls_cert.is_empty()
+        || !conf.backend_interfaces.tls_key.is_empty()
+    {
+        let mut w = warp::serve(routes).tls();
+        if !conf.backend_interfaces.ca_cert.is_empty() {
+            w = w.client_auth_required_path(&conf.backend_interfaces.ca_cert);
+        }
+        if !conf.backend_interfaces.tls_cert.is_empty() {
+            w = w.cert_path(&conf.backend_interfaces.tls_cert);
+        }
+        if !conf.backend_interfaces.tls_key.is_empty() {
+            w = w.key_path(&conf.backend_interfaces.tls_key);
+        }
+        w.run(addr).await;
+    } else {
+        warp::serve(routes).run(addr).await;
+    }
 
     Ok(())
 }