diff --git a/logsrvd/logsrvd.c b/logsrvd/logsrvd.c
index 891667140..f0611db5e 100644
--- a/logsrvd/logsrvd.c
+++ b/logsrvd/logsrvd.c
@@ -1143,7 +1143,10 @@ init_tls_server_context(void)
         SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
     }
 
-    if (!SSL_CTX_use_PrivateKey_file(ctx, tls_config->pkey_path, SSL_FILETYPE_PEM)) {
+    /* if private key file was not set, assume that the cert file contains the private key */
+    char* pkey = (tls_config->pkey_path == NULL ? tls_config->cert_path : tls_config->pkey_path);
+
+    if (!SSL_CTX_use_PrivateKey_file(ctx, pkey, SSL_FILETYPE_PEM)) {
         sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
             "unable to load key file: %s",
             ERR_error_string(ERR_get_error(), NULL));
diff --git a/logsrvd/logsrvd_conf.c b/logsrvd/logsrvd_conf.c
index 991b1b13f..2b5153a93 100644
--- a/logsrvd/logsrvd_conf.c
+++ b/logsrvd/logsrvd_conf.c
@@ -52,6 +52,11 @@
 #include "pathnames.h"
 #include "logsrvd.h"
 
+#if defined(HAVE_OPENSSL)
+# define DEFAULT_CA_CERT_PATH       "/etc/ssl/sudo/cacert.pem"
+# define DEFAULT_SERVER_CERT_PATH   "/etc/ssl/sudo/logsrvd_cert.pem"
+#endif
+
 struct logsrvd_config;
 typedef bool (*logsrvd_conf_cb_t)(struct logsrvd_config *config, const char *);
 
@@ -853,6 +858,11 @@ logsrvd_conf_alloc(void)
     TAILQ_INIT(&config->server.addresses);
     config->server.timeout.tv_sec = DEFAULT_SOCKET_TIMEOUT_SEC;
 
+#if defined(HAVE_OPENSSL)
+    config->server.tls_config.cacert_path = strdup(DEFAULT_CA_CERT_PATH);
+    config->server.tls_config.cert_path = strdup(DEFAULT_SERVER_CERT_PATH);
+#endif
+
     /* I/O log defaults */
     config->iolog.compress = false;
     config->iolog.flush = true;