+@node TLS
+@unnumbered TLS support
+
+You can enable TLS support by specifying PEM-encoded X.509 certificate
+and private key files. Go's TLS implementation supports TLS 1.3, HTTP/2
+negotiation, Keep-Alives, modern ciphersuites and ECC.
+
+For example generate some self-signed certificate using GnuTLS toolset:
+
+@verbatim
+$ certtool --generate-privkey --ecc --outfile prv.pem
+$ cert_template=`mktemp`
+$ echo cn=gocheese.host > $cert_template
+$ certtool \
+ --generate-self-signed \
+ --load-privkey=prv.pem \
+ --template $cert_template \
+ --outfile=cert.pem
+$ rm $cert_template
+$ gocheese -tls-cert cert.pem -tls-key prv.pem [...]
+@end verbatim
+