diff --git a/benchmark/worker/benchmark_client.go b/benchmark/worker/benchmark_client.go
index 4ca2955d..ee6168b1 100644
--- a/benchmark/worker/benchmark_client.go
+++ b/benchmark/worker/benchmark_client.go
@@ -19,6 +19,7 @@
 package main
 
 import (
+	"flag"
 	"math"
 	"runtime"
 	"sync"
@@ -36,6 +37,10 @@ import (
 	"google.golang.org/grpc/testdata"
 )
 
+var (
+	caFile = flag.String("ca_file", "", "The file containning the CA root cert file")
+)
+
 type lockingHistogram struct {
 	mu        sync.Mutex
 	histogram *stats.Histogram
@@ -119,7 +124,10 @@ func createConns(config *testpb.ClientConfig) ([]*grpc.ClientConn, func(), error
 
 	// Check and set security options.
 	if config.SecurityParams != nil {
-		creds, err := credentials.NewClientTLSFromFile(testdata.Path("ca.pem"), config.SecurityParams.ServerHostOverride)
+		if *caFile == "" {
+			*caFile = testdata.Path("ca.pem")
+		}
+		creds, err := credentials.NewClientTLSFromFile(*caFile, config.SecurityParams.ServerHostOverride)
 		if err != nil {
 			return nil, nil, grpc.Errorf(codes.InvalidArgument, "failed to create TLS credentials %v", err)
 		}
diff --git a/benchmark/worker/benchmark_server.go b/benchmark/worker/benchmark_server.go
index c6703a1f..238dfdeb 100644
--- a/benchmark/worker/benchmark_server.go
+++ b/benchmark/worker/benchmark_server.go
@@ -19,6 +19,7 @@
 package main
 
 import (
+	"flag"
 	"runtime"
 	"strconv"
 	"strings"
@@ -35,6 +36,11 @@ import (
 	"google.golang.org/grpc/testdata"
 )
 
+var (
+	certFile = flag.String("tls_cert_file", "", "The TLS cert file")
+	keyFile  = flag.String("tls_key_file", "", "The TLS key file")
+)
+
 type benchmarkServer struct {
 	port            int
 	cores           int
@@ -85,7 +91,13 @@ func startBenchmarkServer(config *testpb.ServerConfig, serverPort int) (*benchma
 
 	// Set security options.
 	if config.SecurityParams != nil {
-		creds, err := credentials.NewServerTLSFromFile(testdata.Path("server1.pem"), testdata.Path("server1.key"))
+		if *certFile == "" {
+			*certFile = testdata.Path("server1.pem")
+		}
+		if *keyFile == "" {
+			*keyFile = testdata.Path("server1.key")
+		}
+		creds, err := credentials.NewServerTLSFromFile(*certFile, *keyFile)
 		if err != nil {
 			grpclog.Fatalf("failed to generate credentials %v", err)
 		}
diff --git a/interop/client/client.go b/interop/client/client.go
index 2620c1f8..60bf7f3c 100644
--- a/interop/client/client.go
+++ b/interop/client/client.go
@@ -33,6 +33,7 @@ import (
 )
 
 var (
+	caFile                = flag.String("ca_file", "", "The file containning the CA root cert file")
 	useTLS                = flag.Bool("use_tls", false, "Connection uses TLS if true, else plain TCP")
 	testCA                = flag.Bool("use_test_ca", false, "Whether to replace platform root CAs with test CA as the CA root")
 	serviceAccountKeyFile = flag.String("service_account_key_file", "", "Path to service account json key file")
@@ -75,7 +76,10 @@ func main() {
 		var creds credentials.TransportCredentials
 		if *testCA {
 			var err error
-			creds, err = credentials.NewClientTLSFromFile(testdata.Path("ca.pem"), sn)
+			if *caFile == "" {
+				*caFile = testdata.Path("ca.pem")
+			}
+			creds, err = credentials.NewClientTLSFromFile(*caFile, sn)
 			if err != nil {
 				grpclog.Fatalf("Failed to create TLS credentials %v", err)
 			}
diff --git a/stress/client/main.go b/stress/client/main.go
index 1e5ac624..ca2e7039 100644
--- a/stress/client/main.go
+++ b/stress/client/main.go
@@ -50,6 +50,7 @@ var (
 	useTLS               = flag.Bool("use_tls", false, "Connection uses TLS if true, else plain TCP")
 	testCA               = flag.Bool("use_test_ca", false, "Whether to replace platform root CAs with test CA as the CA root")
 	tlsServerName        = flag.String("server_host_override", "foo.test.google.fr", "The server name use to verify the hostname returned by TLS handshake if it is not empty. Otherwise, --server_host is used.")
+	caFile               = flag.String("ca_file", "", "The file containning the CA root cert file")
 )
 
 // testCaseWithWeight contains the test case type and its weight.
@@ -275,7 +276,10 @@ func newConn(address string, useTLS, testCA bool, tlsServerName string) (*grpc.C
 		var creds credentials.TransportCredentials
 		if testCA {
 			var err error
-			creds, err = credentials.NewClientTLSFromFile(testdata.Path("ca.pem"), sn)
+			if *caFile == "" {
+				*caFile = testdata.Path("ca.pem")
+			}
+			creds, err = credentials.NewClientTLSFromFile(*caFile, sn)
 			if err != nil {
 				grpclog.Fatalf("Failed to create TLS credentials %v", err)
 			}