diff --git a/server/shadow/shadow.c b/server/shadow/shadow.c
index ee42ff523..85ddcab6e 100644
--- a/server/shadow/shadow.c
+++ b/server/shadow/shadow.c
@@ -27,6 +27,7 @@
 #include <winpr/tools/makecert.h>
 
 #include <freerdp/server/shadow.h>
+#include <freerdp/settings.h>
 
 #include <freerdp/log.h>
 #define TAG SERVER_TAG("shadow")
@@ -35,8 +36,6 @@ int main(int argc, char** argv)
 {
 	int status = 0;
 	DWORD dwExitCode = 0;
-	rdpSettings* settings = NULL;
-	rdpShadowServer* server = NULL;
 	COMMAND_LINE_ARGUMENT_A shadow_args[] = {
 		{ "log-filters", COMMAND_LINE_VALUE_REQUIRED, "<tag>:<level>[,<tag>:<level>[,...]]", NULL,
 		  NULL, -1, NULL, "Set logger filters, see wLog(7) for details" },
@@ -98,7 +97,7 @@ int main(int argc, char** argv)
 
 	shadow_subsystem_set_entry_builtin(NULL);
 
-	server = shadow_server_new();
+	rdpShadowServer* server = shadow_server_new();
 
 	if (!server)
 	{
@@ -107,7 +106,8 @@ int main(int argc, char** argv)
 		goto fail;
 	}
 
-	settings = server->settings;
+	rdpSettings* settings = server->settings;
+	WINPR_ASSERT(settings);
 
 	if (!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, TRUE) ||
 	    !freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, TRUE) ||
diff --git a/server/shadow/shadow_client.c b/server/shadow/shadow_client.c
index 571aea604..1dc62c931 100644
--- a/server/shadow/shadow_client.c
+++ b/server/shadow/shadow_client.c
@@ -225,12 +225,6 @@ static BOOL shadow_client_context_new(freerdp_peer* peer, rdpContext* context)
 	settings->DrawAllowDynamicColorFidelity = TRUE;
 	settings->CompressionLevel = PACKET_COMPR_TYPE_RDP6;
 
-	if (!freerdp_settings_set_string(settings, FreeRDP_CertificateFile, server->CertificateFile))
-		goto fail;
-
-	if (!freerdp_settings_set_string(settings, FreeRDP_PrivateKeyFile, server->PrivateKeyFile))
-		goto fail;
-
 	if (server->ipcSocket && (strncmp(bind_address, server->ipcSocket,
 	                                  strnlen(bind_address, sizeof(bind_address))) != 0))
 	{
diff --git a/server/shadow/shadow_server.c b/server/shadow/shadow_server.c
index d89c88543..6ddad8d61 100644
--- a/server/shadow/shadow_server.c
+++ b/server/shadow/shadow_server.c
@@ -751,11 +751,13 @@ static int shadow_server_init_config_path(rdpShadowServer* server)
 
 static BOOL shadow_server_init_certificate(rdpShadowServer* server)
 {
-	char* filepath;
+	char* filepath = NULL;
 	MAKECERT_CONTEXT* makecert = NULL;
 	BOOL ret = FALSE;
-	char* makecert_argv[6] = { "makecert", "-rdp", "-live", "-silent", "-y", "5" };
-	int makecert_argc = (sizeof(makecert_argv) / sizeof(char*));
+	const char* makecert_argv[6] = { "makecert", "-rdp", "-live", "-silent", "-y", "5" };
+	const size_t makecert_argc = (sizeof(makecert_argv) / sizeof(char*));
+
+	WINPR_ASSERT(server);
 
 	if (!winpr_PathFileExists(server->ConfigPath) && !winpr_PathMakePath(server->ConfigPath, 0))
 	{
@@ -808,6 +810,27 @@ static BOOL shadow_server_init_certificate(rdpShadowServer* server)
 		}
 	}
 
+	rdpSettings* settings = server->settings;
+	WINPR_ASSERT(settings);
+
+	rdpPrivateKey* key = freerdp_key_new_from_file(server->PrivateKeyFile);
+	if (!key)
+		goto out_fail;
+	if (!freerdp_settings_set_pointer_len(settings, FreeRDP_RdpServerRsaKey, key, 1))
+		goto out_fail;
+
+	rdpCertificate* cert = freerdp_certificate_new_from_file(server->CertificateFile);
+	if (!cert)
+		goto out_fail;
+	if (!freerdp_settings_set_pointer_len(settings, FreeRDP_RdpServerCertificate, cert, 1))
+		goto out_fail;
+
+	const BOOL rdpSecurity = freerdp_certificate_is_rsa(cert);
+	if (!rdpSecurity)
+	{
+		if (!freerdp_settings_set_bool(settings, FreeRDP_RdpSecurity, FALSE))
+			goto out_fail;
+	}
 	ret = TRUE;
 out_fail:
 	makecert_context_free(makecert);