diff --git a/lib/libwebsockets.c b/lib/libwebsockets.c
index f94b11c0..aaf991aa 100644
--- a/lib/libwebsockets.c
+++ b/lib/libwebsockets.c
@@ -1596,6 +1596,16 @@ libwebsocket_create_context(int port, const char *interface,
 						      LWS_OPENSSL_CLIENT_CERTS);
 	}
 
+	/*
+	 * callback allowing user code to load extra verification certs
+	 * helping the client to verify server identity
+	 */
+
+	this->protocols[0].callback(this, wsi,
+		LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS,
+		this->ssl_client_ctx, NULL, 0);
+
+
 	if (this->use_ssl) {
 
 		/* openssl init for server sockets */
diff --git a/lib/libwebsockets.h b/lib/libwebsockets.h
index acb27b13..0890c9b1 100644
--- a/lib/libwebsockets.h
+++ b/lib/libwebsockets.h
@@ -43,6 +43,7 @@ enum libwebsocket_callback_reasons {
 	LWS_CALLBACK_BROADCAST,
 	LWS_CALLBACK_FILTER_NETWORK_CONNECTION,
 	LWS_CALLBACK_FILTER_PROTOCOL_CONNECTION,
+	LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS,
 
 	/* external poll() management support */
 	LWS_CALLBACK_ADD_POLL_FD,
@@ -201,6 +202,12 @@ struct libwebsocket_context;
  *		content before deciding to allow the handshake to proceed or
  *		to kill the connection.
  *
+ * 	LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS: if configure for
+ * 		including OpenSSL support, this callback allows your user code
+ * 		to perform extra SSL_CTX_load_verify_locations() or similar
+ *		calls to direct OpenSSL where to find certificates the client
+ *		can use to confirm the remote server identity.  @user is the
+ *		OpenSSL SSL_CTX*
  *
  *	The next four reasons are optional and only need taking care of if you
  * 	will be integrating libwebsockets sockets into an external polling
diff --git a/libwebsockets-api-doc.html b/libwebsockets-api-doc.html
index cd3e70d0..ecb17ca7 100644
--- a/libwebsockets-api-doc.html
+++ b/libwebsockets-api-doc.html
@@ -580,7 +580,15 @@ use the header enums lws_token_indexes from libwebsockets.h
 to check for and read the supported header presence and
 content before deciding to allow the handshake to proceed or
 to kill the connection.
-<p>
+</blockquote>
+<h3>LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS</h3>
+<blockquote>
+if configure for
+including OpenSSL support, this callback allows your user code
+to perform extra <b>SSL_CTX_load_verify_locations</b> or similar
+calls to direct OpenSSL where to find certificates the client
+can use to confirm the remote server identity.  <tt><b>user</b></tt> is the
+OpenSSL SSL_CTX*
 <p>
 The next four reasons are optional and only need taking care of if you
 will be integrating libwebsockets sockets into an external polling