diff --git a/Cargo.lock b/Cargo.lock
index a9e2dd536..370c87ed9 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1893,6 +1893,7 @@ version = "0.13.0"
 dependencies = [
  "bollard-next",
  "chrono",
+ "clap",
  "schemars",
  "serde",
  "serde_json",
diff --git a/bin/nanocld/Cargo.toml b/bin/nanocld/Cargo.toml
index 47d0bcab6..efada5371 100644
--- a/bin/nanocld/Cargo.toml
+++ b/bin/nanocld/Cargo.toml
@@ -32,6 +32,7 @@ release = []
 clap = { version = "4.4", features = ["derive"] }
 clap_mangen = { version = "0.2" }
 nanocl_utils = { version = "0.4", features = ["build_tools"] }
+nanocl_stubs = { version = "0.13", features = ["clap"] }
 
 [dev-dependencies]
 serde_yaml = "0.9"
@@ -79,7 +80,7 @@ chrono = { version = "0.4", default-features = false, features = [
 jsonschema = { version = "0.17", default-features = false }
 nanocld_client = { version = "0.13", features = ["tokio"] }
 metrsd_client = "0.5"
-nanocl_stubs = { version = "0.13", features = ["serde"] }
+nanocl_stubs = { version = "0.13", features = ["serde", "clap"] }
 nanocl_utils = { version = "0.4", features = ["unix", "ntex", "logger"] }
 utoipa = { version = "4.2", features = ["yaml"], optional = true }
 notify = "6.1"
diff --git a/bin/nanocld/specs/swagger.yaml b/bin/nanocld/specs/swagger.yaml
index 3c565ce90..cad791cbf 100644
--- a/bin/nanocld/specs/swagger.yaml
+++ b/bin/nanocld/specs/swagger.yaml
@@ -2854,17 +2854,9 @@ components:
           format: int32
           description: Group id
           minimum: 0
-        cert:
-          type: string
-          description: Certificate path
-          nullable: true
-        cert_key:
-          type: string
-          description: Certificate key path
-          nullable: true
-        cert_ca:
-          type: string
-          description: Ca certificate path
+        ssl:
+          allOf:
+          - $ref: '#/components/schemas/SslConfig'
           nullable: true
     DeviceMapping:
       type: object
diff --git a/bin/nanocld/src/cli.rs b/bin/nanocld/src/cli.rs
index f2729a28a..ef2ee6e69 100644
--- a/bin/nanocld/src/cli.rs
+++ b/bin/nanocld/src/cli.rs
@@ -1,5 +1,7 @@
 use clap::Parser;
 
+use nanocl_stubs::system::SslConfig;
+
 /// Nanocl Daemon - Self Sufficient Orchestrator
 #[derive(Debug, Clone, Parser)]
 #[command(name = "Nanocl")]
@@ -34,15 +36,9 @@ pub struct Cli {
   /// Group id
   #[clap(long, default_value = "0")]
   pub gid: u32,
-  /// Optional certificate path
-  #[clap(long)]
-  pub cert: Option<String>,
-  /// Optional certificate key path
-  #[clap(long)]
-  pub cert_key: Option<String>,
-  /// Optional ca certificate path
-  #[clap(long)]
-  pub cert_ca: Option<String>,
+  /// Optional ssl options
+  #[clap(flatten)]
+  pub ssl: Option<SslConfig>,
 }
 
 impl Default for Cli {
@@ -57,9 +53,7 @@ impl Default for Cli {
       nodes: vec![],
       advertise_addr: None,
       gid: 0,
-      cert: None,
-      cert_key: None,
-      cert_ca: None,
+      ssl: None,
     }
   }
 }
diff --git a/bin/nanocld/src/config.rs b/bin/nanocld/src/config.rs
index 6ddc0fda0..ad17b89e4 100644
--- a/bin/nanocld/src/config.rs
+++ b/bin/nanocld/src/config.rs
@@ -63,9 +63,7 @@ fn gen_daemon_conf(
     advertise_addr,
     nodes: args.nodes.clone(),
     conf_dir: args.conf_dir.clone(),
-    cert: args.cert.clone(),
-    cert_key: args.cert_key.clone(),
-    cert_ca: args.cert_ca.clone(),
+    ssl: args.ssl.clone(),
   })
 }
 
diff --git a/bin/nanocld/src/utils/server.rs b/bin/nanocld/src/utils/server.rs
index ec943ba0d..a492f1d8c 100644
--- a/bin/nanocld/src/utils/server.rs
+++ b/bin/nanocld/src/utils/server.rs
@@ -50,10 +50,11 @@ pub async fn gen(
       };
     } else if host.starts_with("tcp://") {
       let addr = host.replace("tcp://", "");
-      if let Some(cert) = config.cert.clone() {
+      if let Some(ssl) = config.ssl.clone() {
         log::debug!("server::gen: {addr}: with ssl");
-        let cert_key = config.cert_key.clone().unwrap();
-        let cert_ca = config.cert_ca.clone().unwrap();
+        let cert = ssl.cert.clone().unwrap();
+        let cert_key = ssl.cert_key.clone().unwrap();
+        let cert_ca = ssl.cert_ca.clone().unwrap();
         server = match server.bind_openssl(&addr, {
           let mut builder =
             SslAcceptor::mozilla_intermediate(SslMethod::tls()).unwrap();
@@ -207,7 +208,8 @@ mod tests {
     builder
       .set_certificate_file("../../tests/client.crt", SslFiletype::PEM)
       .unwrap();
-    builder.set_private_key_file("../../tests/client.key", SslFiletype::PEM)
+    builder
+      .set_private_key_file("../../tests/client.key", SslFiletype::PEM)
       .unwrap();
     let client = ntex::http::client::Client::build()
       .connector(Connector::default().openssl(builder.build()).finish())
diff --git a/crates/nanocl_stubs/Cargo.toml b/crates/nanocl_stubs/Cargo.toml
index a53e0a19b..27d410006 100644
--- a/crates/nanocl_stubs/Cargo.toml
+++ b/crates/nanocl_stubs/Cargo.toml
@@ -17,6 +17,7 @@ default = ["serde"]
 serde = ["dep:serde", "uuid/serde", "chrono/serde"]
 utoipa = ["dep:utoipa"]
 schemars = ["dep:schemars", "bollard-next/schemars"]
+clap = ["dep:clap"]
 test = []
 
 [dependencies]
@@ -30,3 +31,4 @@ chrono = { version = "0.4", default-features = false, features = [
 serde = { version = "1.0", features = ["derive"], optional = true }
 utoipa = { version = "4", features = ["uuid", "chrono"], optional = true }
 schemars = { version = "0.8", features = ["uuid1", "chrono"], optional = true }
+clap = { version = "4.4", features = ["derive", "cargo"], optional = true }
diff --git a/crates/nanocl_stubs/src/config.rs b/crates/nanocl_stubs/src/config.rs
index e29e52979..a33fb0c21 100644
--- a/crates/nanocl_stubs/src/config.rs
+++ b/crates/nanocl_stubs/src/config.rs
@@ -1,6 +1,8 @@
 #[cfg(feature = "serde")]
 use serde::{Serialize, Deserialize};
 
+use super::system::SslConfig;
+
 /// Configuration of the daemon
 /// It is used to configure the daemon
 #[derive(Debug, Clone)]
@@ -27,12 +29,8 @@ pub struct DaemonConfig {
   pub conf_dir: String,
   /// Group id
   pub gid: u32,
-  /// Certificate path
-  pub cert: Option<String>,
-  /// Certificate key path
-  pub cert_key: Option<String>,
-  /// Ca certificate path
-  pub cert_ca: Option<String>,
+  /// Optional ssl configuration
+  pub ssl: Option<SslConfig>,
 }
 
 /// Configuration File of the daemon
@@ -64,9 +62,7 @@ impl Default for DaemonConfig {
       gateway: String::default(),
       nodes: Vec::default(),
       advertise_addr: String::default(),
-      cert: None,
-      cert_key: None,
-      cert_ca: None,
+      ssl: None,
     }
   }
 }
diff --git a/crates/nanocl_stubs/src/system.rs b/crates/nanocl_stubs/src/system.rs
index df9c120bf..2c06d8f75 100644
--- a/crates/nanocl_stubs/src/system.rs
+++ b/crates/nanocl_stubs/src/system.rs
@@ -7,6 +7,21 @@ use serde::{Serialize, Deserialize};
 
 use crate::config::DaemonConfig;
 
+#[derive(Clone, Debug, Default, Eq, PartialEq)]
+#[cfg_attr(feature = "utoipa", derive(utoipa::ToSchema))]
+#[cfg_attr(feature = "schemars", derive(schemars::JsonSchema))]
+#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
+#[cfg_attr(feature = "serde", serde(rename_all = "lowercase"))]
+#[cfg_attr(feature = "clap", derive(clap::Parser))]
+pub struct SslConfig {
+  #[cfg_attr(feature = "clap", clap(long))]
+  pub cert: Option<String>,
+  #[cfg_attr(feature = "clap", clap(long))]
+  pub cert_key: Option<String>,
+  #[cfg_attr(feature = "clap", clap(long))]
+  pub cert_ca: Option<String>,
+}
+
 #[derive(Clone, Debug, Default, Eq, PartialEq)]
 #[cfg_attr(feature = "utoipa", derive(utoipa::ToSchema))]
 #[cfg_attr(feature = "schemars", derive(schemars::JsonSchema))]