diff --git a/ca/ca.go b/ca/ca.go
index e03e69c1..4146466d 100644
--- a/ca/ca.go
+++ b/ca/ca.go
@@ -49,6 +49,7 @@ type options struct {
 	sshUserPassword []byte
 	database        db.AuthDB
 	x509CAService   apiv1.CertificateAuthorityService
+	tlsConfig       *tls.Config
 }
 
 func (o *options) apply(opts []Option) {
@@ -114,6 +115,14 @@ func WithDatabase(d db.AuthDB) Option {
 	}
 }
 
+// WithTLSConfig sets the TLS configuration to be used by the HTTP(s) server
+// spun by step-ca.
+func WithTLSConfig(t *tls.Config) Option {
+	return func(o *options) {
+		o.tlsConfig = t
+	}
+}
+
 // WithLinkedCAToken sets the token used to authenticate with the linkedca.
 func WithLinkedCAToken(token string) Option {
 	return func(o *options) {
@@ -193,9 +202,20 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 	}
 	ca.auth = auth
 
-	tlsConfig, clientTLSConfig, err := ca.getTLSConfig(auth)
-	if err != nil {
-		return nil, err
+	var tlsConfig *tls.Config
+	var clientTLSConfig *tls.Config
+	if ca.opts.tlsConfig != nil {
+		// try using the tls Configuration supplied by the caller
+		log.Print("Using tls configuration supplied by the application")
+		tlsConfig = ca.opts.tlsConfig
+		clientTLSConfig = ca.opts.tlsConfig
+	} else {
+		// default to using the step-ca x509 Signer Interface
+		log.Print("Building new tls configuration using step-ca x509 Signer Interface")
+		tlsConfig, clientTLSConfig, err = ca.getTLSConfig(auth)
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	webhookTransport.TLSClientConfig = clientTLSConfig
@@ -457,7 +477,10 @@ func (ca *CA) Run() error {
 // Stop stops the CA calling to the server Shutdown method.
 func (ca *CA) Stop() error {
 	close(ca.compactStop)
-	ca.renewer.Stop()
+	if ca.renewer != nil {
+		ca.renewer.Stop()
+	}
+
 	if err := ca.auth.Shutdown(); err != nil {
 		log.Printf("error stopping ca.Authority: %+v\n", err)
 	}
@@ -532,7 +555,10 @@ func (ca *CA) Reload() error {
 	// 2. Safely shutdown any internal resources (e.g. key manager)
 	// 3. Replace ca properties
 	// Do not replace ca.srv
-	ca.renewer.Stop()
+	if ca.renewer != nil {
+		ca.renewer.Stop()
+	}
+
 	ca.auth.CloseForReload()
 	ca.auth = newCA.auth
 	ca.config = newCA.config