diff --git a/cmd/acmeserver/acmeserver.go b/cmd/acmeserver/acmeserver.go
index 8720920965bc3a7725140bf2867aeeb40868be65..1792bf689a389e1f1222ae3fcb19655590822e5f 100644
--- a/cmd/acmeserver/acmeserver.go
+++ b/cmd/acmeserver/acmeserver.go
@@ -58,6 +58,8 @@ func defaultConfig() *Config {
 	config.ACME.HTTP.Enabled = true
 	config.ACME.AccountKeyPath = "/var/lib/acme/account.key"
 	config.ACME.KeyType = common.KeyTypeECDSA
+	config.Output.Type = "file"
+	config.Output.FS.Path = "/var/lib/acme/certs"
 	return &config
 }
 
diff --git a/upload/config.go b/upload/config.go
index c499a61a7496ef61d5116abc22dbf686aa6ab3de..8b66e76b59febdf4b1a374c41bf3c2fa9ce67740 100644
--- a/upload/config.go
+++ b/upload/config.go
@@ -1,7 +1,13 @@
 package upload
 
-// Config for the output storage layer.
-type Config struct {
+import (
+	"context"
+	"fmt"
+
+	"git.autistici.org/ai3/tools/acmeserver/common"
+)
+
+type ReplDSConfig struct {
 	Endpoint string `yaml:"endpoint"`
 	Prefix   string `yaml:"prefix"`
 	TLS      struct {
@@ -10,3 +16,35 @@ type Config struct {
 		CA   string `yaml:"ca"`
 	} `yaml:"tls"`
 }
+
+type FSConfig struct {
+	Path string `yaml:"path"`
+}
+
+const (
+	configTypeFS     = "file"
+	configTypeReplDS = "replds"
+)
+
+// Config for the output storage layer.
+type Config struct {
+	Type   string       `yaml:"type"`
+	ReplDS ReplDSConfig `yaml:"replds"`
+	FS     FSConfig     `yaml:"file"`
+}
+
+// Uploader is the interface to the storage backend.
+type Uploader interface {
+	Upload(context.Context, string, *common.Credentials) error
+}
+
+func New(config *Config) (Uploader, error) {
+	switch config.Type {
+	case configTypeFS:
+		return newFS(&config.FS)
+	case configTypeReplDS:
+		return newReplDS(&config.ReplDS)
+	default:
+		return nil, fmt.Errorf("unknown storage type '%s'", config.Type)
+	}
+}
diff --git a/upload/replds.go b/upload/replds.go
index caf0139adac1881f29f25036c6cb1de1a762dbb9..5ca71f60e989933cbc9a25747f828fddfc28e9d5 100644
--- a/upload/replds.go
+++ b/upload/replds.go
@@ -40,8 +40,8 @@ type ReplStorage struct {
 	conn   *grpc.ClientConn
 }
 
-// New creates a new ReplStorage.
-func New(config *Config) (*ReplStorage, error) {
+// newReplDS creates a new ReplStorage.
+func newReplDS(config *ReplDSConfig) (*ReplStorage, error) {
 	var creds credentials.TransportCredentials
 
 	if config.TLS.Cert != "" && config.TLS.Key != "" && config.TLS.CA != "" {