diff --git a/lib/tls/openssl/openssl-client.c b/lib/tls/openssl/openssl-client.c
index c45c11999..c772bdc17 100644
--- a/lib/tls/openssl/openssl-client.c
+++ b/lib/tls/openssl/openssl-client.c
@@ -637,7 +637,7 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
 	}
 	if (private_key_filepath) {
 		lwsl_notice("%s: doing private key filepath\n", __func__);
-		lws_ssl_bind_passphrase(vh->tls.ssl_client_ctx, info);
+		lws_ssl_bind_passphrase(vh->tls.ssl_client_ctx, 1, info);
 		/* set the private key from KeyFile */
 		if (SSL_CTX_use_PrivateKey_file(vh->tls.ssl_client_ctx,
 		    private_key_filepath, SSL_FILETYPE_PEM) != 1) {
diff --git a/lib/tls/openssl/openssl-server.c b/lib/tls/openssl/openssl-server.c
index dc0bf4584..9a3a570a8 100644
--- a/lib/tls/openssl/openssl-server.c
+++ b/lib/tls/openssl/openssl-server.c
@@ -534,7 +534,7 @@ lws_tls_server_vhost_backend_init(const struct lws_context_creation_info *info,
 	    (!info->ssl_cert_filepath && !info->server_ssl_cert_mem))
 		return 0;
 
-	lws_ssl_bind_passphrase(vhost->tls.ssl_ctx, info);
+	lws_ssl_bind_passphrase(vhost->tls.ssl_ctx, 0, info);
 
 	return lws_tls_server_certs_load(vhost, wsi, info->ssl_cert_filepath,
 					 info->ssl_private_key_filepath,
diff --git a/lib/tls/openssl/ssl.c b/lib/tls/openssl/ssl.c
index d7571cd56..c160acad7 100644
--- a/lib/tls/openssl/ssl.c
+++ b/lib/tls/openssl/ssl.c
@@ -60,9 +60,8 @@ int lws_ssl_get_error(struct lws *wsi, int n)
 	return m;
 }
 
-
 static int
-lws_context_init_ssl_pem_passwd_cb(char * buf, int size, int rwflag,
+lws_context_init_ssl_pem_passwd_cb(char *buf, int size, int rwflag,
 				   void *userdata)
 {
 	struct lws_context_creation_info * info =
@@ -74,11 +73,29 @@ lws_context_init_ssl_pem_passwd_cb(char * buf, int size, int rwflag,
 	return (int)strlen(buf);
 }
 
+static int
+lws_context_init_ssl_pem_passwd_client_cb(char *buf, int size, int rwflag,
+					  void *userdata)
+{
+	struct lws_context_creation_info * info =
+			(struct lws_context_creation_info *)userdata;
+	const char *p = info->ssl_private_key_password;
+
+	if (info->client_ssl_private_key_password)
+		p = info->client_ssl_private_key_password;
+
+	strncpy(buf, p, size);
+	buf[size - 1] = '\0';
+
+	return (int)strlen(buf);
+}
+
 void
-lws_ssl_bind_passphrase(SSL_CTX *ssl_ctx,
+lws_ssl_bind_passphrase(SSL_CTX *ssl_ctx, int is_client,
 			const struct lws_context_creation_info *info)
 {
-	if (!info->ssl_private_key_password)
+	if (!info->ssl_private_key_password &&
+	    !info->client_ssl_private_key_password)
 		return;
 	/*
 	 * password provided, set ssl callback and user data
@@ -86,7 +103,8 @@ lws_ssl_bind_passphrase(SSL_CTX *ssl_ctx,
 	 * SSL_CTX_use_PrivateKey_file function
 	 */
 	SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, (void *)info);
-	SSL_CTX_set_default_passwd_cb(ssl_ctx,
+	SSL_CTX_set_default_passwd_cb(ssl_ctx, is_client ?
+				      lws_context_init_ssl_pem_passwd_client_cb:
 				      lws_context_init_ssl_pem_passwd_cb);
 }
 
diff --git a/lib/tls/private-network.h b/lib/tls/private-network.h
index d1019e17b..5f4ae9e51 100644
--- a/lib/tls/private-network.h
+++ b/lib/tls/private-network.h
@@ -107,7 +107,7 @@ lws_tls_fake_POLLIN_for_buffered(struct lws_context_per_thread *pt);
 LWS_EXTERN int
 lws_gate_accepts(struct lws_context *context, int on);
 LWS_EXTERN void
-lws_ssl_bind_passphrase(lws_tls_ctx *ssl_ctx,
+lws_ssl_bind_passphrase(lws_tls_ctx *ssl_ctx, int is_client,
 			const struct lws_context_creation_info *info);
 LWS_EXTERN void
 lws_ssl_info_callback(const lws_tls_conn *ssl, int where, int ret);