diff --git a/framework/config/tls/server.go b/framework/config/tls/server.go
index cfac93e..a31e4e6 100644
--- a/framework/config/tls/server.go
+++ b/framework/config/tls/server.go
@@ -38,11 +38,10 @@ func (cfg *TLSConfig) Get() (*tls.Config, error) {
 	}
 	tlsCfg := cfg.baseCfg.Clone()
 
-	certs, err := cfg.loader.LoadCerts()
+	err := cfg.loader.ConfigureTLS(tlsCfg)
 	if err != nil {
 		return nil, err
 	}
-	tlsCfg.Certificates = certs
 
 	return tlsCfg, nil
 }
@@ -50,7 +49,7 @@ func (cfg *TLSConfig) Get() (*tls.Config, error) {
 // TLSDirective reads the TLS configuration and adds the reload handler to
 // reread certificates on SIGUSR2.
 //
-// The returned value is *tls.TLSConfig with GetConfigForClient set.
+// The returned value is *tls.Config with GetConfigForClient set.
 // If the 'tls off' is used, returned value is nil.
 func TLSDirective(m *config.Map, node config.Node) (interface{}, error) {
 	cfg, err := readTLSBlock(m.Globals, node)
diff --git a/framework/module/tls_loader.go b/framework/module/tls_loader.go
index 404ad96..06184c0 100644
--- a/framework/module/tls_loader.go
+++ b/framework/module/tls_loader.go
@@ -18,7 +18,9 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
 package module
 
-import "crypto/tls"
+import (
+	"crypto/tls"
+)
 
 // TLSLoader interface is module interface that can be used to supply TLS
 // certificates to TLS-enabled endpoints.
@@ -35,5 +37,5 @@ import "crypto/tls"
 // Modules implementing this interface should be registered with prefix
 // "tls.loader." in name.
 type TLSLoader interface {
-	LoadCerts() ([]tls.Certificate, error)
+	ConfigureTLS(c *tls.Config) error
 }
diff --git a/internal/tls/file.go b/internal/tls/file.go
index a20179c..943a59e 100644
--- a/internal/tls/file.go
+++ b/internal/tls/file.go
@@ -153,13 +153,16 @@ func (f *FileLoader) loadCerts() error {
 	return nil
 }
 
-func (f *FileLoader) LoadCerts() ([]tls.Certificate, error) {
+func (f *FileLoader) ConfigureTLS(c *tls.Config) error {
 	// Loader function replaces only the whole slice.
 	f.certsLock.RLock()
 	defer f.certsLock.RUnlock()
-	return f.certs, nil
+
+	c.Certificates = f.certs
+	return nil
 }
 
 func init() {
+	var _ module.TLSLoader = &FileLoader{}
 	module.Register("tls.loader.file", NewFileLoader)
 }
diff --git a/internal/tls/self_signed.go b/internal/tls/self_signed.go
index ce3da60..d5e174f 100644
--- a/internal/tls/self_signed.go
+++ b/internal/tls/self_signed.go
@@ -101,10 +101,12 @@ func (f *SelfSignedLoader) InstanceName() string {
 	return f.instName
 }
 
-func (f *SelfSignedLoader) LoadCerts() ([]tls.Certificate, error) {
-	return []tls.Certificate{f.cert}, nil
+func (f *SelfSignedLoader) ConfigureTLS(c *tls.Config) error {
+	c.Certificates = []tls.Certificate{f.cert}
+	return nil
 }
 
 func init() {
+	var _ module.TLSLoader = &SelfSignedLoader{}
 	module.Register("tls.loader.self_signed", NewSelfSignedLoader)
 }