diff --git a/conf/frpc_full.ini b/conf/frpc_full.ini
index 7aacfebfb6a71365525fc9134f7a5f1296790df2..f47c1f213272c4d0795dab0fbfcd4a48d0408103 100644
--- a/conf/frpc_full.ini
+++ b/conf/frpc_full.ini
@@ -52,6 +52,10 @@ protocol = tcp
 # if tls_enable is true, frpc will connect frps by tls
 tls_enable = true
 
+# tls_cert_file = client.crt
+# tls_key_file = client.key
+# tls_trusted_ca_file = ca.crt
+
 # specify a dns server, so frpc will use this instead of default one
 # dns_server = 8.8.8.8
 
diff --git a/conf/frps_full.ini b/conf/frps_full.ini
index c0ffb76f1d2fc21dc720b80bac6aaee917748288..969bbe2d5627601d73e1799328a77ff92625997d 100644
--- a/conf/frps_full.ini
+++ b/conf/frps_full.ini
@@ -103,6 +103,10 @@ max_ports_per_client = 0
 # TlsOnly specifies whether to only accept TLS-encrypted connections. By default, the value is false.
 tls_only = false
 
+# tls_cert_file = server.crt
+# tls_key_file = server.key
+# tls_trusted_ca_file = ca.crt
+
 # if subdomain_host is not empty, you can set subdomain when type is http or https in frpc's configure file
 # when subdomain is test, the host used by routing is test.frps.com
 subdomain_host = frps.com
diff --git a/models/config/client_common.go b/models/config/client_common.go
index dd6d3a95339e0acdf9d0fafcf12a44b663641c73..1fe148f68c4afa7e8099f30f08afccfeff869457 100644
--- a/models/config/client_common.go
+++ b/models/config/client_common.go
@@ -350,17 +350,16 @@ func (cfg *ClientCommonConf) Check() (err error) {
 
 	if cfg.TLSEnable == false {
 		if cfg.TLSCertFile != "" {
-			fmt.Println("WARNING! Because tls_enable is not true, so tls_cert_file will not make sense")
+			fmt.Println("WARNING! tls_cert_file is invalid when tls_enable is false")
 		}
 
 		if cfg.TLSKeyFile != "" {
-			fmt.Println("WARNING! Because tls_enable is not true, so tls_key_file will not make sense")
+			fmt.Println("WARNING! tls_key_file is invalid when tls_enable is false")
 		}
 
 		if cfg.TLSTrustedCaFile != "" {
-			fmt.Println("WARNING! Because tls_enable is not true, so tls_trusted_ca_file will not make sense")
+			fmt.Println("WARNING! tls_trusted_ca_file is invalid when tls_enable is false")
 		}
 	}
-
 	return
 }
diff --git a/models/config/server_common.go b/models/config/server_common.go
index 0c335581a8f1a5d6fcfbd6d1049f7cfb7267576e..1690aa0e78da064e8b7d025895fdc3a30ac9aec4 100644
--- a/models/config/server_common.go
+++ b/models/config/server_common.go
@@ -448,6 +448,7 @@ func UnmarshalServerConfFromIni(content string) (cfg ServerCommonConf, err error
 
 	if tmpStr, ok := conf.Get("common", "tls_trusted_ca_file"); ok {
 		cfg.TLSTrustedCaFile = tmpStr
+		cfg.TLSOnly = true
 	}
 
 	return
@@ -471,12 +472,6 @@ func UnmarshalPluginsFromIni(sections ini.File, cfg *ServerCommonConf) {
 	}
 }
 
-func (cfg *ServerCommonConf) Check() (err error) {
-	if cfg.TLSOnly == false {
-		if cfg.TLSTrustedCaFile != "" {
-			err = fmt.Errorf("Parse conf error: forbidden tls_trusted_ca_file, it only works when tls_only is true")
-			return
-		}
-	}
-	return
+func (cfg *ServerCommonConf) Check() error {
+	return nil
 }