diff --git a/mtest/ignitions/worker.yml b/mtest/ignitions/worker.yml
index 0637dd87..a2ef727f 100644
--- a/mtest/ignitions/worker.yml
+++ b/mtest/ignitions/worker.yml
@@ -1,7 +1,7 @@
 passwd: passwd.yml
 files:
   - /etc/hostname
-  - /etc/sabakan/neco.crt
+  - /etc/sabakan/sabakan-tls-ca.crt
 networkd:
   - 10-eth0.network
 systemd:
diff --git a/pkg/sabakan-cryptsetup/cmd/driver.go b/pkg/sabakan-cryptsetup/cmd/driver.go
index 790a625f..31591eec 100644
--- a/pkg/sabakan-cryptsetup/cmd/driver.go
+++ b/pkg/sabakan-cryptsetup/cmd/driver.go
@@ -37,7 +37,7 @@ type Driver struct {
 // It may return nil when the serial code of the machine cannot be identified,
 // or sabakanURL is not valid.
 func NewDriver(sabakanURL, cipher string, keySize int, tpmdev string, disks []Disk) (*Driver, error) {
-	crt, err := os.ReadFile("/etc/sabakan/neco.crt")
+	crt, err := os.ReadFile(opts.caCert)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/sabakan-cryptsetup/cmd/root.go b/pkg/sabakan-cryptsetup/cmd/root.go
index 06e15ac7..1f33cbe2 100644
--- a/pkg/sabakan-cryptsetup/cmd/root.go
+++ b/pkg/sabakan-cryptsetup/cmd/root.go
@@ -14,6 +14,7 @@ const (
 	defaultTPMDev     = "/dev/tpm0"
 	defaultCipher     = "aes-xts-plain64"
 	defaultKeySize    = 512
+	defaultCACert     = "/etc/sabakan/sabakan-tls-ca.crt"
 )
 
 var opts struct {
@@ -22,6 +23,7 @@ var opts struct {
 	tpmdev     string
 	keySize    int
 	excludes   []string
+	caCert     string
 }
 
 var rootCmd = &cobra.Command{
@@ -71,10 +73,11 @@ func init() {
 	if sabaURL == "" {
 		sabaURL = defaultSabakanURL
 	}
-
 	rootCmd.Flags().StringVar(&opts.sabakanURL, "server", sabaURL, "URL of sabakan server")
 	rootCmd.Flags().StringVar(&opts.tpmdev, "tpmdev", defaultTPMDev, "device file path of tpm")
 	rootCmd.Flags().StringVar(&opts.cipher, "cipher", defaultCipher, "cipher specification")
 	rootCmd.Flags().IntVar(&opts.keySize, "keysize", defaultKeySize, "key size in bits")
 	rootCmd.Flags().StringArrayVar(&opts.excludes, "excludes", nil, `disk name patterns to be excluded, e.g. "nvme*"`)
+	rootCmd.Flags().StringVar(&opts.caCert, "cert", defaultCACert, "location of sabakan CA certificate")
+
 }
diff --git a/web/main_test.go b/web/main_test.go
index 04445bc3..c5337918 100644
--- a/web/main_test.go
+++ b/web/main_test.go
@@ -18,7 +18,6 @@ func newTestServer(m sabakan.Model) *Server {
 	_, ipnet, _ := net.ParseCIDR("192.0.2.1/24")
 	u, _ := url.Parse(testMyURL)
 	us, _ := url.Parse(testMyURLHTTPS)
-
 	return NewServer(m, "", "", u, us, []*net.IPNet{ipnet}, false, nil, false)
 }