diff --git a/serverutil/tls.go b/serverutil/tls.go
index 053e74d6b2e1719d893cca1437cc58c78c9f7f4e..58dbf6c0fb7a58e5682fdeab3405ec4c602da154 100644
--- a/serverutil/tls.go
+++ b/serverutil/tls.go
@@ -110,21 +110,26 @@ func (c *TLSServerConfig) TLSConfig() (*tls.Config, error) {
 		return nil, err
 	}
 
-	cas, err := common.LoadCA(c.CA)
-	if err != nil {
-		return nil, err
-	}
-
 	// Set some TLS-level parameters (cipher-related), assuming
 	// we're using EC keys.
 	tlsConf := &tls.Config{
 		Certificates:             []tls.Certificate{cert},
-		ClientAuth:               tls.RequireAndVerifyClientCert,
-		ClientCAs:                cas,
 		CipherSuites:             serverCiphers,
 		MinVersion:               tls.VersionTLS12,
 		PreferServerCipherSuites: true,
 	}
+
+	// Require client certificates if a CA is specified.
+	if c.CA != "" {
+		cas, err := common.LoadCA(c.CA)
+		if err != nil {
+			return nil, err
+		}
+
+		tlsConf.ClientAuth = tls.RequireAndVerifyClientCert
+		tlsConf.ClientCAs = cas
+	}
+
 	tlsConf.BuildNameToCertificate()
 
 	return tlsConf, nil