diff --git a/server/src/option.rs b/server/src/option.rs
index c1ea351b0..fb5e63f9a 100644
--- a/server/src/option.rs
+++ b/server/src/option.rs
@@ -168,11 +168,21 @@ where
     S: Clone + clap::Args + StorageOpt,
 {
     /// The location of TLS Cert file
-    #[arg(long, env = "P_TLS_CERT_PATH", value_name = "path")]
+    #[arg(
+        long,
+        env = "P_TLS_CERT_PATH",
+        value_name = "path",
+        value_parser = validation::file_path
+    )]
     pub tls_cert_path: Option<PathBuf>,
 
     /// The location of TLS Private Key file
-    #[arg(long, env = "P_TLS_KEY_PATH", value_name = "path")]
+    #[arg(
+        long,
+        env = "P_TLS_KEY_PATH",
+        value_name = "path",
+        value_parser = validation::file_path
+    )]
     pub tls_key_path: Option<PathBuf>,
 
     /// The address on which the http server will listen.
@@ -251,3 +261,21 @@ where
         "http".to_string()
     }
 }
+
+pub(self) mod validation {
+    use std::path::PathBuf;
+
+    pub fn file_path(s: &str) -> Result<PathBuf, String> {
+        if s.is_empty() {
+            return Err("empty path".to_owned());
+        }
+
+        let path = PathBuf::from(s);
+
+        if !path.is_file() {
+            return Err("path specified does not point to an accessible file".to_string());
+        }
+
+        Ok(path)
+    }
+}