diff --git a/src/include/tls-h b/src/include/tls-h
index 206f55db79802..3c002e4a5c243 100644
--- a/src/include/tls-h
+++ b/src/include/tls-h
@@ -351,6 +351,7 @@ struct fr_tls_server_conf_t {
 	CONF_SECTION	*cs;
 
 	char const	*private_key_password;
+	char const      *private_key_password_file;
 	char const	*private_key_file;
 	char const	*certificate_file;
 	char const	*random_file;
diff --git a/src/main/tls.c b/src/main/tls.c
index 354dc05d9a15a..b6dcace3cd888 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -1634,6 +1634,7 @@ static CONF_PARSER tls_server_config[] = {
 	{ "CA_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT | PW_TYPE_DEPRECATED, fr_tls_server_conf_t, ca_file), NULL },
 	{ "ca_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, fr_tls_server_conf_t, ca_file), NULL },
 	{ "private_key_password", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_SECRET, fr_tls_server_conf_t, private_key_password), NULL },
+	{ "private_key_password_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, fr_tls_server_conf_t, private_key_password_file), NULL },
 #ifdef PSK_MAX_IDENTITY_LEN
 	{ "psk_identity", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, psk_identity), NULL },
 	{ "psk_hexphrase", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_SECRET, fr_tls_server_conf_t, psk_password), NULL },
@@ -3851,6 +3852,29 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client, char const *chain_
 			SSL_CTX_set_default_passwd_cb(ctx, cbtls_password);
 		}
 	}
+	if (conf->private_key_password_file) {
+		FILE* passwordfile = fopen(conf->private_key_password_file, "r");
+		if (passwordfile) {
+			char password[256];
+			if(fgets(password, sizeof(password), passwordfile)) {
+				/*
+				 *  Remove CR/LF characters at the end of the string
+				 */
+				size_t index = strlen(password);
+				while (index > 0 && (password[index - 1] == '\r' || password[index - 1] == '\n')) {
+					index = index - 1;
+					password[index] = '\0';
+				}
+				SSL_CTX_set_default_passwd_cb_userdata(ctx, password);
+				SSL_CTX_set_default_passwd_cb(ctx, cbtls_password);
+			} else {
+				ERROR(LOG_PREFIX ": Error reading private_key_password_file %s", conf->private_key_password_file);
+			}
+			fclose(passwordfile);
+		} else {
+			ERROR(LOG_PREFIX ": Error opening private_key_password_file %s", conf->private_key_password_file);
+		}
+	}
 
 #ifdef PSK_MAX_IDENTITY_LEN
 	/*