diff --git a/mongoose.c b/mongoose.c
index e35c35ac..8d38b408 100644
--- a/mongoose.c
+++ b/mongoose.c
@@ -3404,12 +3404,14 @@ static void debug_cb(void *c, int lev, const char *s, int n, const char *s2) {
 int mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
   struct mg_tls *tls = (struct mg_tls *) calloc(1, sizeof(*tls));
   int rc = 0;
+  const char *ca = opts->ca == NULL     ? "-"
+                   : opts->ca[0] == '-' ? "(emb)"
+                                        : opts->ca;
   if (tls == NULL) {
     mg_error(c, "TLS OOM");
     goto fail;
   }
-  LOG(LL_DEBUG, ("%lu Setting TLS, CA: %s, cert: %s, key: %s", c->id,
-                 opts->ca == NULL ? "null" : opts->ca,
+  LOG(LL_DEBUG, ("%lu Setting TLS, CA: %s, cert: %s, key: %s", c->id, ca,
                  opts->cert == NULL ? "null" : opts->cert,
                  opts->certkey == NULL ? "null" : opts->certkey));
   mbedtls_ssl_init(&tls->ssl);
@@ -3434,13 +3436,17 @@ int mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
     tls->cafile = strdup(opts->ca);
     rc = mbedtls_ssl_conf_ca_chain_file(&tls->conf, tls->cafile, NULL);
     if (rc != 0) {
-      mg_error(c, "parse on-disk chain(%s) err %#x", opts->ca, -rc);
+      mg_error(c, "parse on-disk chain(%s) err %#x", ca, -rc);
       goto fail;
     }
 #else
     mbedtls_x509_crt_init(&tls->ca);
-    if ((rc = mbedtls_x509_crt_parse_file(&tls->ca, opts->ca)) != 0) {
-      mg_error(c, "parse(%s) err %#x", opts->ca, -rc);
+    rc = opts->ca[0] == '-'
+             ? mbedtls_x509_crt_parse(&tls->ca, (uint8_t *) opts->ca,
+                                      strlen(opts->ca) + 1)
+             : mbedtls_x509_crt_parse_file(&tls->ca, opts->ca);
+    if (rc != 0) {
+      mg_error(c, "parse(%s) err %#x", ca, -rc);
       goto fail;
     }
     mbedtls_ssl_conf_ca_chain(&tls->conf, &tls->ca, NULL);
@@ -3876,17 +3882,32 @@ bool mg_file_printf(const char *path, const char *fmt, ...) {
   if (buf != tmp) free(buf);
   return result;
 }
+#endif
 
 void mg_random(void *buf, size_t len) {
-  FILE *fp = mg_fopen("/dev/urandom", "rb");
-  size_t i, n = 0;
-  if (fp != NULL) n = fread(buf, 1, len, fp);
-  if (fp == NULL || n <= 0) {
+  bool done = false;
+#if MG_ENABLE_FS
+  if (!done) {
+    FILE *fp = mg_fopen("/dev/urandom", "rb");
+    if (fp != NULL) {
+      fread(buf, 1, len, fp);
+      fclose(fp);
+      done = true;
+    }
+  }
+#endif
+#if MG_ENABLE_MBEDTLS
+  if (!done && mbedtls_entropy_func(NULL, buf, len) == 0) {
+    done = true;
+    LOG(LL_DEBUG, ("RAND %d", done));
+  }
+#endif
+  if (!done) {
+    // Fallback to a pseudo random gen
+    size_t i;
     for (i = 0; i < len; i++) ((unsigned char *) buf)[i] = rand() % 0xff;
   }
-  if (fp != NULL) fclose(fp);
 }
-#endif
 
 bool mg_globmatch(const char *s1, int n1, const char *s2, int n2) {
   int i = 0, j = 0, ni = 0, nj = 0;
diff --git a/src/tls.c b/src/tls.c
index c3a7f71a..21b54322 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -64,12 +64,14 @@ static void debug_cb(void *c, int lev, const char *s, int n, const char *s2) {
 int mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
   struct mg_tls *tls = (struct mg_tls *) calloc(1, sizeof(*tls));
   int rc = 0;
+  const char *ca = opts->ca == NULL     ? "-"
+                   : opts->ca[0] == '-' ? "(emb)"
+                                        : opts->ca;
   if (tls == NULL) {
     mg_error(c, "TLS OOM");
     goto fail;
   }
-  LOG(LL_DEBUG, ("%lu Setting TLS, CA: %s, cert: %s, key: %s", c->id,
-                 opts->ca == NULL ? "null" : opts->ca,
+  LOG(LL_DEBUG, ("%lu Setting TLS, CA: %s, cert: %s, key: %s", c->id, ca,
                  opts->cert == NULL ? "null" : opts->cert,
                  opts->certkey == NULL ? "null" : opts->certkey));
   mbedtls_ssl_init(&tls->ssl);
@@ -94,13 +96,17 @@ int mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
     tls->cafile = strdup(opts->ca);
     rc = mbedtls_ssl_conf_ca_chain_file(&tls->conf, tls->cafile, NULL);
     if (rc != 0) {
-      mg_error(c, "parse on-disk chain(%s) err %#x", opts->ca, -rc);
+      mg_error(c, "parse on-disk chain(%s) err %#x", ca, -rc);
       goto fail;
     }
 #else
     mbedtls_x509_crt_init(&tls->ca);
-    if ((rc = mbedtls_x509_crt_parse_file(&tls->ca, opts->ca)) != 0) {
-      mg_error(c, "parse(%s) err %#x", opts->ca, -rc);
+    rc = opts->ca[0] == '-'
+             ? mbedtls_x509_crt_parse(&tls->ca, (uint8_t *) opts->ca,
+                                      strlen(opts->ca) + 1)
+             : mbedtls_x509_crt_parse_file(&tls->ca, opts->ca);
+    if (rc != 0) {
+      mg_error(c, "parse(%s) err %#x", ca, -rc);
       goto fail;
     }
     mbedtls_ssl_conf_ca_chain(&tls->conf, &tls->ca, NULL);
diff --git a/src/util.c b/src/util.c
index bee82fd4..17cdc2f7 100644
--- a/src/util.c
+++ b/src/util.c
@@ -83,17 +83,33 @@ bool mg_file_printf(const char *path, const char *fmt, ...) {
   if (buf != tmp) free(buf);
   return result;
 }
+#endif
 
 void mg_random(void *buf, size_t len) {
-  FILE *fp = mg_fopen("/dev/urandom", "rb");
-  size_t i, n = 0;
-  if (fp != NULL) n = fread(buf, 1, len, fp);
-  if (fp == NULL || n <= 0) {
+  bool done = false;
+#if MG_ENABLE_FS
+  if (!done) {
+    FILE *fp = mg_fopen("/dev/urandom", "rb");
+    if (fp != NULL) {
+      fread(buf, 1, len, fp);
+      fclose(fp);
+      done = true;
+    }
+  }
+#endif
+#if MG_ENABLE_MBEDTLS
+  extern int mbedtls_entropy_func(void *, void *, size_t);
+  if (!done && mbedtls_entropy_func(NULL, buf, len) == 0) {
+    done = true;
+    LOG(LL_DEBUG, ("RAND %d", done));
+  }
+#endif
+  if (!done) {
+    // Fallback to a pseudo random gen
+    size_t i;
     for (i = 0; i < len; i++) ((unsigned char *) buf)[i] = rand() % 0xff;
   }
-  if (fp != NULL) fclose(fp);
 }
-#endif
 
 bool mg_globmatch(const char *s1, int n1, const char *s2, int n2) {
   int i = 0, j = 0, ni = 0, nj = 0;