diff --git a/docs/config.yaml b/docs/config.yaml
index 030328b6..bfcdc0cd 100644
--- a/docs/config.yaml
+++ b/docs/config.yaml
@@ -937,6 +937,9 @@ listeners:
         uuid: 9d0cb9d0-964f-4ef6-897d-6c6b3ccf9e68
         alterId: 1
     # ws-path: "/" # 如果不为空则开启websocket传输层
+    # 下面两项如果填写则开启tls（需要同时填写）
+    # certificate: ./server.crt
+    # private-key: ./server.key
 
   - name: tuic-in-1
     type: tuic
diff --git a/listener/config/vmess.go b/listener/config/vmess.go
index 88bde9a4..1cf2d46c 100644
--- a/listener/config/vmess.go
+++ b/listener/config/vmess.go
@@ -11,10 +11,12 @@ type VmessUser struct {
 }
 
 type VmessServer struct {
-	Enable bool
-	Listen string
-	Users  []VmessUser
-	WsPath string
+	Enable      bool
+	Listen      string
+	Users       []VmessUser
+	WsPath      string
+	Certificate string
+	PrivateKey  string
 }
 
 func (t VmessServer) String() string {
diff --git a/listener/inbound/vmess.go b/listener/inbound/vmess.go
index 36bb208b..3f516198 100644
--- a/listener/inbound/vmess.go
+++ b/listener/inbound/vmess.go
@@ -9,8 +9,10 @@ import (
 
 type VmessOption struct {
 	BaseOption
-	Users  []VmessUser `inbound:"users"`
-	WsPath string      `inbound:"ws-path,omitempty"`
+	Users       []VmessUser `inbound:"users"`
+	WsPath      string      `inbound:"ws-path,omitempty"`
+	Certificate string      `inbound:"certificate,omitempty"`
+	PrivateKey  string      `inbound:"private-key,omitempty"`
 }
 
 type VmessUser struct {
@@ -47,10 +49,12 @@ func NewVmess(options *VmessOption) (*Vmess, error) {
 		Base:   base,
 		config: options,
 		vs: LC.VmessServer{
-			Enable: true,
-			Listen: base.RawAddress(),
-			Users:  users,
-			WsPath: options.WsPath,
+			Enable:      true,
+			Listen:      base.RawAddress(),
+			Users:       users,
+			WsPath:      options.WsPath,
+			Certificate: options.Certificate,
+			PrivateKey:  options.PrivateKey,
 		},
 	}, nil
 }
diff --git a/listener/sing_vmess/server.go b/listener/sing_vmess/server.go
index 96d713c9..014e86f9 100644
--- a/listener/sing_vmess/server.go
+++ b/listener/sing_vmess/server.go
@@ -2,6 +2,7 @@ package sing_vmess
 
 import (
 	"context"
+	"crypto/tls"
 	"net"
 	"net/http"
 	"net/url"
@@ -67,8 +68,16 @@ func New(config LC.VmessServer, tunnel C.Tunnel, additions ...inbound.Addition)
 
 	sl = &Listener{false, config, nil, service}
 
+	tlsConfig := &tls.Config{}
 	var httpMux *http.ServeMux
 
+	if config.Certificate != "" && config.PrivateKey != "" {
+		cert, err := N.ParseCert(config.Certificate, config.PrivateKey, C.Path)
+		if err != nil {
+			return nil, err
+		}
+		tlsConfig.Certificates = []tls.Certificate{cert}
+	}
 	if config.WsPath != "" {
 		httpMux = http.NewServeMux()
 		httpMux.HandleFunc(config.WsPath, func(w http.ResponseWriter, r *http.Request) {
@@ -79,6 +88,7 @@ func New(config LC.VmessServer, tunnel C.Tunnel, additions ...inbound.Addition)
 			}
 			sl.HandleConn(conn, tunnel)
 		})
+		tlsConfig.NextProtos = append(tlsConfig.NextProtos, "http/1.1")
 	}
 
 	for _, addr := range strings.Split(config.Listen, ",") {
@@ -89,6 +99,9 @@ func New(config LC.VmessServer, tunnel C.Tunnel, additions ...inbound.Addition)
 		if err != nil {
 			return nil, err
 		}
+		if len(tlsConfig.Certificates) > 0 {
+			l = tls.NewListener(l, tlsConfig)
+		}
 		sl.listeners = append(sl.listeners, l)
 
 		go func() {