diff --git a/src/cert_reader.rs b/src/cert_file_reader.rs
similarity index 98%
rename from src/cert_reader.rs
rename to src/cert_file_reader.rs
index a52f2e2..53a736e 100644
--- a/src/cert_reader.rs
+++ b/src/cert_file_reader.rs
@@ -1,4 +1,4 @@
-use crate::{log::*, proxy::CertsAndKeys};
+use crate::{certs::CertsAndKeys, log::*};
 use rustls::{Certificate, PrivateKey};
 use std::{
   fs::File,
diff --git a/src/certs.rs b/src/certs.rs
new file mode 100644
index 0000000..3008900
--- /dev/null
+++ b/src/certs.rs
@@ -0,0 +1,17 @@
+use async_trait::async_trait;
+use rustls::{Certificate, PrivateKey};
+
+/// Certificates and private keys in rustls loaded from files
+#[derive(Debug, PartialEq, Eq, Clone)]
+pub struct CertsAndKeys {
+  pub certs: Vec<Certificate>,
+  pub cert_keys: Vec<PrivateKey>,
+  pub client_ca_certs: Option<Vec<Certificate>>,
+}
+
+#[async_trait]
+// Trait to read certs and keys anywhere from KVS, file, sqlite, etc.
+pub trait ReadCerts {
+  type Error;
+  async fn read_crypto_source(&self) -> Result<CertsAndKeys, Self::Error>;
+}
diff --git a/src/main.rs b/src/main.rs
index ea47e57..526c290 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -6,7 +6,8 @@ use tikv_jemallocator::Jemalloc;
 static GLOBAL: Jemalloc = Jemalloc;
 
 mod backend;
-mod cert_reader;
+mod cert_file_reader;
+mod certs;
 mod config;
 mod constants;
 mod error;
diff --git a/src/proxy/crypto_service.rs b/src/proxy/crypto_service.rs
index 728a531..629119b 100644
--- a/src/proxy/crypto_service.rs
+++ b/src/proxy/crypto_service.rs
@@ -1,5 +1,6 @@
 use crate::{
-  cert_reader::read_certs_and_keys, // TODO: Trait defining read_certs_and_keys and add struct implementing the trait to backend when build backend
+  cert_file_reader::read_certs_and_keys, // TODO: Trait defining read_certs_and_keys and add struct implementing the trait to backend when build backend
+  certs::CertsAndKeys,
   globals::Globals,
   log::*,
   utils::ServerNameBytesExp,
@@ -10,7 +11,7 @@ use rustc_hash::{FxHashMap as HashMap, FxHashSet as HashSet};
 use rustls::{
   server::ResolvesServerCertUsingSni,
   sign::{any_supported_type, CertifiedKey},
-  Certificate, OwnedTrustAnchor, PrivateKey, RootCertStore, ServerConfig,
+  OwnedTrustAnchor, RootCertStore, ServerConfig,
 };
 use std::{io, sync::Arc};
 use x509_parser::prelude::*;
@@ -21,14 +22,6 @@ pub struct CryptoReloader {
   globals: Arc<Globals>,
 }
 
-/// Certificates and private keys in rustls loaded from files
-#[derive(Debug, PartialEq, Eq, Clone)]
-pub struct CertsAndKeys {
-  pub certs: Vec<Certificate>,
-  pub cert_keys: Vec<PrivateKey>,
-  pub client_ca_certs: Option<Vec<Certificate>>,
-}
-
 pub type SniServerCryptoMap = HashMap<ServerNameBytesExp, Arc<ServerConfig>>;
 pub struct ServerCrypto {
   // For Quic/HTTP3, only servers with no client authentication
diff --git a/src/proxy/mod.rs b/src/proxy/mod.rs
index d8fdc83..73a4002 100644
--- a/src/proxy/mod.rs
+++ b/src/proxy/mod.rs
@@ -5,5 +5,4 @@ mod proxy_h3;
 mod proxy_main;
 mod proxy_tls;
 
-pub use crypto_service::CertsAndKeys;
 pub use proxy_main::{Proxy, ProxyBuilder, ProxyBuilderError};