diff --git a/rest/service/src/main.rs b/rest/service/src/main.rs
index f949851fe..10995a947 100644
--- a/rest/service/src/main.rs
+++ b/rest/service/src/main.rs
@@ -12,7 +12,7 @@ use rustls::{
     NoClientAuth,
     ServerConfig,
 };
-use std::io::BufReader;
+use std::{fs::File, io::BufReader};
 use structopt::StructOpt;
 
 #[derive(Debug, StructOpt)]
@@ -29,6 +29,17 @@ pub(crate) struct CliArgs {
     #[structopt(long, short, default_value = "nats://0.0.0.0:4222")]
     nats: String,
 
+    /// Path to the certificate file
+    #[structopt(long, short, required_unless = "dummy-certificates")]
+    cert_file: Option<String>,
+    /// Path to the key file
+    #[structopt(long, short, required_unless = "dummy-certificates")]
+    key_file: Option<String>,
+
+    /// Use dummy HTTPS certificates (for testing)
+    #[structopt(long, short, required_unless = "cert-file")]
+    dummy_certificates: bool,
+
     /// Trace rest requests to the Jaeger endpoint agent
     #[structopt(long, short)]
     jaeger: Option<String>,
@@ -90,24 +101,61 @@ where
     }
 }
 
-#[actix_web::main]
-async fn main() -> std::io::Result<()> {
-    // need to keep the jaeger pipeline tracer alive, if enabled
-    let _tracer = init_tracing();
-
-    mbus_api::message_bus_init(CliArgs::from_args().nats).await;
+fn get_certificates() -> anyhow::Result<ServerConfig> {
+    if CliArgs::from_args().dummy_certificates {
+        get_dummy_certificates()
+    } else {
+        // guaranteed to be `Some` by the require_unless attribute
+        let cert_file = CliArgs::from_args()
+            .cert_file
+            .expect("cert_file is required");
+        let key_file =
+            CliArgs::from_args().key_file.expect("key_file is required");
+        let cert_file = &mut BufReader::new(File::open(cert_file)?);
+        let key_file = &mut BufReader::new(File::open(key_file)?);
+        load_certificates(cert_file, key_file)
+    }
+}
 
-    // dummy certificates
-    let mut config = ServerConfig::new(NoClientAuth::new());
+fn get_dummy_certificates() -> anyhow::Result<ServerConfig> {
     let cert_file = &mut BufReader::new(
         &std::include_bytes!("../../certs/rsa/user.chain")[..],
     );
     let key_file = &mut BufReader::new(
         &std::include_bytes!("../../certs/rsa/user.rsa")[..],
     );
-    let cert_chain = certs(cert_file).unwrap();
-    let mut keys = rsa_private_keys(key_file).unwrap();
-    config.set_single_cert(cert_chain, keys.remove(0)).unwrap();
+
+    load_certificates(cert_file, key_file)
+}
+
+fn load_certificates<R: std::io::Read>(
+    cert_file: &mut BufReader<R>,
+    key_file: &mut BufReader<R>,
+) -> anyhow::Result<ServerConfig> {
+    let mut config = ServerConfig::new(NoClientAuth::new());
+    let cert_chain = certs(cert_file).map_err(|_| {
+        anyhow::anyhow!(
+            "Failed to retrieve certificates from the certificate file",
+        )
+    })?;
+    let mut keys = rsa_private_keys(key_file).map_err(|_| {
+        anyhow::anyhow!(
+            "Failed to retrieve the rsa private keys from the key file",
+        )
+    })?;
+    if keys.is_empty() {
+        anyhow::bail!("No keys found in the keys file");
+    }
+    config.set_single_cert(cert_chain, keys.remove(0))?;
+    Ok(config)
+}
+
+#[actix_web::main]
+async fn main() -> anyhow::Result<()> {
+    // need to keep the jaeger pipeline tracer alive, if enabled
+    let _tracer = init_tracing();
+
+    mbus_api::message_bus_init(CliArgs::from_args().nats).await;
 
     let server = HttpServer::new(move || {
         App::new()
@@ -115,12 +163,13 @@ async fn main() -> std::io::Result<()> {
             .wrap(middleware::Logger::default())
             .configure_api(&v0::configure_api)
     })
-    .bind_rustls(CliArgs::from_args().https, config)?;
+    .bind_rustls(CliArgs::from_args().https, get_certificates()?)?;
     if let Some(http) = CliArgs::from_args().http {
-        server.bind(http)?
+        server.bind(http).map_err(anyhow::Error::from)?
     } else {
         server
     }
     .run()
     .await
+    .map_err(|e| e.into())
 }
diff --git a/rest/tests/v0_test.rs b/rest/tests/v0_test.rs
index 72afc36d9..9af46e5ca 100644
--- a/rest/tests/v0_test.rs
+++ b/rest/tests/v0_test.rs
@@ -55,9 +55,11 @@ async fn client() {
         .add_container_spec(
             ContainerSpec::from_binary(
                 "rest",
-                Binary::from_dbg("rest")
-                    .with_nats("-n")
-                    .with_args(vec!["-j", "10.1.0.8:6831"]),
+                Binary::from_dbg("rest").with_nats("-n").with_args(vec![
+                    "-j",
+                    "10.1.0.8:6831",
+                    "--dummy-certificates",
+                ]),
             )
             .with_portmap("8080", "8080")
             .with_portmap("8081", "8081"),
diff --git a/services/deployer/src/infra/rest.rs b/services/deployer/src/infra/rest.rs
index 29e7a7659..07bf78ada 100644
--- a/services/deployer/src/infra/rest.rs
+++ b/services/deployer/src/infra/rest.rs
@@ -21,6 +21,7 @@ impl ComponentAction for Rest {
                         "rest",
                         Binary::from_dbg("rest")
                             .with_nats("-n")
+                            .with_arg("--dummy-certificates")
                             .with_args(vec!["--https", "rest:8080"])
                             .with_args(vec!["--http", "rest:8081"]),
                     )
@@ -34,6 +35,7 @@ impl ComponentAction for Rest {
                         "rest",
                         Binary::from_dbg("rest")
                             .with_nats("-n")
+                            .with_arg("--dummy-certificates")
                             .with_args(vec!["-j", &jaeger_config])
                             .with_args(vec!["--https", "rest:8080"])
                             .with_args(vec!["--http", "rest:8081"]),