diff --git a/graffiti/assets/assets.go b/graffiti/assets/assets.go
new file mode 100644
index 0000000000000000000000000000000000000000..dec8039465f3af61882f56f73729ee1bb983c788
--- /dev/null
+++ b/graffiti/assets/assets.go
@@ -0,0 +1,6 @@
+package assets
+
+// Assets is the interface by an asset provider
+type Assets interface {
+	Asset(name string) ([]byte, error)
+}
diff --git a/graffiti/tls/tls.go b/graffiti/tls/tls.go
new file mode 100644
index 0000000000000000000000000000000000000000..5f2e8595eacd9ce830664d846a12f7559af003dd
--- /dev/null
+++ b/graffiti/tls/tls.go
@@ -0,0 +1,55 @@
+package tls
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+)
+
+// SetupTLSLoadCA creates an X509 certificate from file
+func SetupTLSLoadCA(certPEM string) (*x509.CertPool, error) {
+	rootPEM, err := ioutil.ReadFile(certPEM)
+	if err != nil {
+		return nil, fmt.Errorf("Failed to open root certificate '%s' : %s", certPEM, err)
+	}
+	roots := x509.NewCertPool()
+	ok := roots.AppendCertsFromPEM([]byte(rootPEM))
+	if !ok {
+		return nil, fmt.Errorf("Failed to parse root certificate '%s'", rootPEM)
+	}
+	return roots, nil
+}
+
+// SetupTLSClientConfig creates a client X509 certificate from public and private key
+func SetupTLSClientConfig(certPEM string, keyPEM string) (*tls.Config, error) {
+	cert, err := tls.LoadX509KeyPair(certPEM, keyPEM)
+	if err != nil {
+		return nil, fmt.Errorf("Can't read X509 key pair set in config : cert '%s' key '%s' : %s", certPEM, keyPEM, err)
+	}
+	cfgTLS := &tls.Config{
+		Certificates: []tls.Certificate{cert},
+	}
+	return cfgTLS, nil
+}
+
+// SetupTLSServerConfig creates a server X509 certificate from public and private key
+func SetupTLSServerConfig(certPEM string, keyPEM string) (*tls.Config, error) {
+	cfgTLS, err := SetupTLSClientConfig(certPEM, keyPEM)
+	if err != nil {
+		return nil, err
+	}
+
+	cfgTLS.MinVersion = tls.VersionTLS12
+	cfgTLS.ClientAuth = tls.VerifyClientCertIfGiven
+	cfgTLS.CurvePreferences = []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}
+	cfgTLS.PreferServerCipherSuites = true
+	cfgTLS.CipherSuites = []uint16{
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	}
+
+	return cfgTLS, nil
+}