diff --git a/diam/server.go b/diam/server.go
index 44514bcc..415001c8 100644
--- a/diam/server.go
+++ b/diam/server.go
@@ -671,8 +671,10 @@ func ListenAndServe(addr string, handler Handler, dp *dict.Parser) error {
 // ListenAndServeTLS listens on the network address srv.Addr and
 // then calls Serve to handle requests on incoming TLS connections.
 //
-// Filenames containing a certificate and matching private key for
-// the server must be provided. If the certificate is signed by a
+// Either filenames containing a certificate and matching private key
+// for the server must be provided either the callback
+// srv.TLSConfig.GetCertificate should be filled in advance.
+// If the certificate is signed by a
 // certificate authority, the certFile should be the concatenation
 // of the server's certificate followed by the CA's certificate.
 //
@@ -694,11 +696,13 @@ func (srv *Server) ListenAndServeTLS(certFile, keyFile string) error {
 		config = TLSConfigClone(srv.TLSConfig)
 	}
 	var err error
-	config.Certificates = make([]tls.Certificate, 1)
-	config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile)
-	if err != nil {
-		return err
-	}
+	if config.GetCertificate == nil {
+		config.Certificates = make([]tls.Certificate, 1)
+		config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile)
+		if err != nil {
+			return err
+		}
+	}	
 	conn, err := Listen(network, addr)
 	if err != nil {
 		return err