diff --git a/include/libwebsockets/lws-context-vhost.h b/include/libwebsockets/lws-context-vhost.h
index 4c095ea15..f670cd79c 100644
--- a/include/libwebsockets/lws-context-vhost.h
+++ b/include/libwebsockets/lws-context-vhost.h
@@ -422,14 +422,20 @@ struct lws_context_creation_info {
 	/**< VHOST: Client SSL context init: NULL or the passphrase needed
 	 * for the private key */
 	const char *client_ssl_cert_filepath;
-	/**< VHOST: Client SSL context init:T he certificate the client
+	/**< VHOST: Client SSL context init: The certificate the client
 	 * should present to the peer on connection */
+	const void *client_ssl_cert_mem;
+	/**< VHOST: Client SSL context init: client certificate memory buffer or
+	 * NULL... use this to load client cert from memory instead of file */
+	unsigned int client_ssl_cert_mem_len;
+	/**< VHOST: Client SSL context init: length of client_ssl_cert_mem in
+	 * bytes */
 	const char *client_ssl_private_key_filepath;
 	/**<  VHOST: Client SSL context init: filepath to client private key
 	 * if this is set to NULL but client_ssl_cert_filepath is set, you
 	 * can handle the LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS
 	 * callback of protocols[0] to allow setting of the private key directly
-	 * via openSSL library calls */
+	 * via tls library calls */
 	const char *client_ssl_ca_filepath;
 	/**< VHOST: Client SSL context init: CA certificate filepath or NULL */
 	const void *client_ssl_ca_mem;
diff --git a/lib/tls/openssl/openssl-client.c b/lib/tls/openssl/openssl-client.c
index ed2bbdf52..4feeae8c1 100644
--- a/lib/tls/openssl/openssl-client.c
+++ b/lib/tls/openssl/openssl-client.c
@@ -360,6 +360,8 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
 				    const void *ca_mem,
 				    unsigned int ca_mem_len,
 				    const char *cert_filepath,
+				    const void *cert_mem,
+				    unsigned int cert_mem_len,
 				    const char *private_key_filepath)
 {
 	SSL_METHOD *method;
@@ -492,6 +494,15 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
 			return 1;
 		}
 		lwsl_notice("Loaded client cert %s\n", cert_filepath);
+	} else if (cert_mem && cert_mem_len) {
+		n = SSL_CTX_use_certificate_ASN1(vh->tls.ssl_client_ctx,
+						 cert_mem_len, cert_mem);
+		if (n < 1) {
+			lwsl_err("%s: problem interpreting client cert '%s'\n",
+				 __func__);
+			lws_tls_err_describe();
+			return 1;
+		}
 	}
 	if (private_key_filepath) {
 		lwsl_notice("%s: doing private key filepath\n", __func__);
diff --git a/lib/tls/private.h b/lib/tls/private.h
index 892490904..1b374b89f 100644
--- a/lib/tls/private.h
+++ b/lib/tls/private.h
@@ -281,6 +281,8 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
 				    const void *ca_mem,
 				    unsigned int ca_mem_len,
 				    const char *cert_filepath,
+				    const void *cert_mem,
+				    unsigned int cert_mem_len,
 				    const char *private_key_filepath);
 
 LWS_EXTERN lws_tls_ctx *
diff --git a/lib/tls/tls-client.c b/lib/tls/tls-client.c
index 925f3058c..ba6ddfc02 100644
--- a/lib/tls/tls-client.c
+++ b/lib/tls/tls-client.c
@@ -132,6 +132,8 @@ int lws_context_init_client_ssl(const struct lws_context_creation_info *info,
 						info->client_ssl_ca_mem,
 						info->client_ssl_ca_mem_len,
 						cert_filepath,
+						info->client_ssl_cert_mem,
+						info->client_ssl_cert_mem_len,
 						private_key_filepath))
 		return 1;