diff --git a/server/config/development.yaml b/server/config/development.yaml
index 64a5b15e52..60d088b3a0 100644
--- a/server/config/development.yaml
+++ b/server/config/development.yaml
@@ -48,6 +48,9 @@ tls:
   keyData:
   enableHostVerification: false
   serverName:
+uiServerTLS:
+  certFile:
+  keyFile:
 codec:
   endpoint:
   passAccessToken: false
diff --git a/server/config/docker.yaml b/server/config/docker.yaml
index f5a842b93c..90713d44ac 100644
--- a/server/config/docker.yaml
+++ b/server/config/docker.yaml
@@ -43,6 +43,9 @@ tls:
   keyData: {{ env "TEMPORAL_TLS_KEY_DATA" | default "" }}
   enableHostVerification: {{ env "TEMPORAL_TLS_ENABLE_HOST_VERIFICATION" | default "false" }}
   serverName: {{ env "TEMPORAL_TLS_SERVER_NAME" | default "" }}
+uiServerTLS:
+  certFile: {{ env "TEMPORAL_UI_SERVER_TLS_CERT" | default "" }}
+  keyFile: {{ env "TEMPORAL_UI_SERVER_TLS_KEY" | default "" }}
 auth:
   enabled: {{ env "TEMPORAL_AUTH_ENABLED" | default "false" }}
   providers:
diff --git a/server/server/config/config.go b/server/server/config/config.go
index d545b0d3e7..2b31f259e8 100644
--- a/server/server/config/config.go
+++ b/server/server/config/config.go
@@ -69,6 +69,8 @@ type (
 		// Forward specified HTTP headers from HTTP API requests to Temporal gRPC backend
 		ForwardHeaders []string `yaml:"forwardHeaders"`
 		HideLogs       bool     `yaml:"hideLogs"`
+		// TLS configuration options to start UI Server in TLS mode
+		UIServerTLS UIServerTLS `yaml:"uiServerTLS"`
 	}
 
 	CORS struct {
@@ -90,6 +92,11 @@ type (
 		ServerName             string `yaml:"serverName"`
 	}
 
+	UIServerTLS struct {
+		CertFile string `yaml:"certFile"`
+		KeyFile  string `yaml:"keyFile"`
+	}
+
 	Auth struct {
 		// Enabled - UI checks this first before reading your provider config
 		Enabled bool `yaml:"enabled"`
diff --git a/server/server/server.go b/server/server/server.go
index ecbd7c06c4..57ed2ce6ae 100644
--- a/server/server/server.go
+++ b/server/server/server.go
@@ -147,7 +147,14 @@ func (s *Server) Start() error {
 	}
 
 	address := fmt.Sprintf("%s:%d", cfg.Host, cfg.Port)
-	if err := s.httpServer.Start(address); err != http.ErrServerClosed {
+	if cfg.UIServerTLS.CertFile != "" && cfg.UIServerTLS.KeyFile != "" {
+		s.httpServer.Logger.Info("Starting UI server with TLS...")
+		err = s.httpServer.StartTLS(address, cfg.UIServerTLS.CertFile, cfg.UIServerTLS.KeyFile)
+	} else {
+		err = s.httpServer.Start(address)
+	}
+
+	if err != http.ErrServerClosed {
 		s.httpServer.Logger.Fatal(err)
 	}
 	return nil