diff --git a/CHANGELOG_PENDING.md b/CHANGELOG_PENDING.md
index d57446a10..d81e815f3 100644
--- a/CHANGELOG_PENDING.md
+++ b/CHANGELOG_PENDING.md
@@ -24,5 +24,6 @@ program](https://hackerone.com/tendermint).
 ### FEATURES:
 
 ### IMPROVEMENTS:
+  - [rpc] \#3700 Make possible to set absolute paths for TLS cert and key (@climber73)
 
 ### BUG FIXES:
diff --git a/config/config.go b/config/config.go
index aa25cff6b..32e37f3e1 100644
--- a/config/config.go
+++ b/config/config.go
@@ -351,7 +351,8 @@ type RPCConfig struct {
 	// See https://github.com/tendermint/tendermint/issues/3435
 	TimeoutBroadcastTxCommit time.Duration `mapstructure:"timeout_broadcast_tx_commit"`
 
-	// The name of a file containing certificate that is used to create the HTTPS server.
+	// The path to a file containing certificate that is used to create the HTTPS server.
+	// Migth be either absolute path or path related to tendermint's config directory.
 	//
 	// If the certificate is signed by a certificate authority,
 	// the certFile should be the concatenation of the server's certificate, any intermediates,
@@ -360,7 +361,8 @@ type RPCConfig struct {
 	// NOTE: both tls_cert_file and tls_key_file must be present for Tendermint to create HTTPS server. Otherwise, HTTP server is run.
 	TLSCertFile string `mapstructure:"tls_cert_file"`
 
-	// The name of a file containing matching private key that is used to create the HTTPS server.
+	// The path to a file containing matching private key that is used to create the HTTPS server.
+	// Migth be either absolute path or path related to tendermint's config directory.
 	//
 	// NOTE: both tls_cert_file and tls_key_file must be present for Tendermint to create HTTPS server. Otherwise, HTTP server is run.
 	TLSKeyFile string `mapstructure:"tls_key_file"`
@@ -424,11 +426,19 @@ func (cfg *RPCConfig) IsCorsEnabled() bool {
 }
 
 func (cfg RPCConfig) KeyFile() string {
-	return rootify(filepath.Join(defaultConfigDir, cfg.TLSKeyFile), cfg.RootDir)
+	path := cfg.TLSKeyFile
+	if filepath.IsAbs(path) {
+		return path
+	}
+	return rootify(filepath.Join(defaultConfigDir, path), cfg.RootDir)
 }
 
 func (cfg RPCConfig) CertFile() string {
-	return rootify(filepath.Join(defaultConfigDir, cfg.TLSCertFile), cfg.RootDir)
+	path := cfg.TLSCertFile
+	if filepath.IsAbs(path) {
+		return path
+	}
+	return rootify(filepath.Join(defaultConfigDir, path), cfg.RootDir)
 }
 
 func (cfg RPCConfig) IsTLSEnabled() bool {
diff --git a/config/config_test.go b/config/config_test.go
index afdbed181..6f9e3783e 100644
--- a/config/config_test.go
+++ b/config/config_test.go
@@ -36,3 +36,19 @@ func TestConfigValidateBasic(t *testing.T) {
 	cfg.Consensus.TimeoutPropose = -10 * time.Second
 	assert.Error(t, cfg.ValidateBasic())
 }
+
+func TestTLSConfiguration(t *testing.T) {
+	assert := assert.New(t)
+	cfg := DefaultConfig()
+	cfg.SetRoot("/home/user")
+
+	cfg.RPC.TLSCertFile = "file.crt"
+	assert.Equal("/home/user/config/file.crt", cfg.RPC.CertFile())
+	cfg.RPC.TLSKeyFile = "file.key"
+	assert.Equal("/home/user/config/file.key", cfg.RPC.KeyFile())
+
+	cfg.RPC.TLSCertFile = "/abs/path/to/file.crt"
+	assert.Equal("/abs/path/to/file.crt", cfg.RPC.CertFile())
+	cfg.RPC.TLSKeyFile = "/abs/path/to/file.key"
+	assert.Equal("/abs/path/to/file.key", cfg.RPC.KeyFile())
+}
diff --git a/config/toml.go b/config/toml.go
index b1541c05a..09117a0fb 100644
--- a/config/toml.go
+++ b/config/toml.go
@@ -192,14 +192,16 @@ max_subscriptions_per_client = {{ .RPC.MaxSubscriptionsPerClient }}
 # See https://github.com/tendermint/tendermint/issues/3435
 timeout_broadcast_tx_commit = "{{ .RPC.TimeoutBroadcastTxCommit }}"
 
-# The name of a file containing certificate that is used to create the HTTPS server.
+# The path to a file containing certificate that is used to create the HTTPS server.
+# Migth be either absolute path or path related to tendermint's config directory.
 # If the certificate is signed by a certificate authority,
 # the certFile should be the concatenation of the server's certificate, any intermediates,
 # and the CA's certificate.
 # NOTE: both tls_cert_file and tls_key_file must be present for Tendermint to create HTTPS server. Otherwise, HTTP server is run.
 tls_cert_file = "{{ .RPC.TLSCertFile }}"
 
-# The name of a file containing matching private key that is used to create the HTTPS server.
+# The path to a file containing matching private key that is used to create the HTTPS server.
+# Migth be either absolute path or path related to tendermint's config directory.
 # NOTE: both tls_cert_file and tls_key_file must be present for Tendermint to create HTTPS server. Otherwise, HTTP server is run.
 tls_key_file = "{{ .RPC.TLSKeyFile }}"
 
diff --git a/docs/tendermint-core/configuration.md b/docs/tendermint-core/configuration.md
index f24e76d6d..df05f7c5d 100644
--- a/docs/tendermint-core/configuration.md
+++ b/docs/tendermint-core/configuration.md
@@ -138,14 +138,16 @@ max_subscriptions_per_client = 5
 # See https://github.com/tendermint/tendermint/issues/3435
 timeout_broadcast_tx_commit = "10s"
 
-# The name of a file containing certificate that is used to create the HTTPS server.
+# The path to a file containing certificate that is used to create the HTTPS server.
+# Migth be either absolute path or path related to tendermint's config directory.
 # If the certificate is signed by a certificate authority,
 # the certFile should be the concatenation of the server's certificate, any intermediates,
 # and the CA's certificate.
 # NOTE: both tls_cert_file and tls_key_file must be present for Tendermint to create HTTPS server. Otherwise, HTTP server is run.
 tls_cert_file = ""
 
-# The name of a file containing matching private key that is used to create the HTTPS server.
+# The path to a file containing matching private key that is used to create the HTTPS server.
+# Migth be either absolute path or path related to tendermint's config directory.
 # NOTE: both tls_cert_file and tls_key_file must be present for Tendermint to create HTTPS server. Otherwise, HTTP server is run.
 tls_key_file = ""