diff --git a/packages/xo-server-auth-ldap/README.md b/packages/xo-server-auth-ldap/README.md
index add959999..3ce5aaa56 100644
--- a/packages/xo-server-auth-ldap/README.md
+++ b/packages/xo-server-auth-ldap/README.md
@@ -29,14 +29,14 @@ plugins:
     # Path to CA certificates to use when connecting to
     # SSL-secured LDAP servers. If not specified, it will use
     # a default set of well-known CAs.
-    ca_certificates:
-        - /path/to/ca_cert.pem
-        - /path/to/another/ca_cert.pem
+    certificateAuthorities:
+      - /path/to/ca_cert.pem
+      - /path/to/another/ca_cert.pem
 
     # Check the validity of the server's certificate. Useful
     # when connecting to servers that use a self-signed certificate.
     # Defaults to true if not specified.
-    check_certificate: true
+    checkCertificate: true
 
     # Credentials to use before looking for the user record.
     #
diff --git a/packages/xo-server-auth-ldap/src/index.js b/packages/xo-server-auth-ldap/src/index.js
index 5835152de..5e2152b1c 100644
--- a/packages/xo-server-auth-ldap/src/index.js
+++ b/packages/xo-server-auth-ldap/src/index.js
@@ -4,6 +4,7 @@ import Bluebird, {coroutine, promisify} from 'bluebird'
 import eventToPromise from 'event-to-promise'
 import {createClient} from 'ldapjs'
 import {escape} from 'ldapjs/lib/filters/escape'
+import {readFileSync} from 'fs'
 
 // ===================================================================
 
@@ -27,23 +28,27 @@ class AuthLdap {
     const clientOpts = {
       url: conf.uri,
       maxConnections: 5,
-      tlsOptions: { }
+      tlsOptions: {}
     }
 
     {
-      const {bind} = conf
+      const {
+        bind,
+        checkCertificate = true,
+        certificateAuthorities
+      } = conf
+
       if (bind) {
         clientOpts.bindDN = bind.dn
         clientOpts.bindCredentials = bind.password
       }
-    }
 
-    if (conf.check_certificate !== undefined) {
-      clientOpts.tlsOptions.rejectUnauthorized = conf.check_certificate
-    }
+      const {tlsOptions} = clientOpts
 
-    if (conf.ca_certificates !== undefined) {
-      clientOpts.tlsOptions.ca = conf.ca_certificates
+      tlsOptions.rejectUnauthorized = !checkCertificate
+      if (certificateAuthorities) {
+        tlsOptions.ca = certificateAuthorities.map(path => readFileSync(path))
+      }
     }
 
     const {base: searchBase} = conf