diff --git a/lib/libwebsockets.c b/lib/libwebsockets.c
index 2cb3ab0c..42deebd4 100644
--- a/lib/libwebsockets.c
+++ b/lib/libwebsockets.c
@@ -2060,6 +2060,40 @@ libwebsocket_create_context(struct lws_context_creation_info *info)
 		 * helping the client to verify server identity
 		 */
 
+		/* support for client-side certificate authentication */
+		if (info->ssl_cert_filepath) {
+			n = SSL_CTX_use_certificate_chain_file(
+				context->ssl_client_ctx,
+						info->ssl_cert_filepath);
+			if (n != 1) {
+				lwsl_err("problem getting cert '%s' %lu: %s\n",
+					info->ssl_cert_filepath,
+					ERR_get_error(),
+					ERR_error_string(ERR_get_error(),
+					(char *)context->service_buffer));
+				goto bail;
+			}
+		} 
+		if (info->ssl_private_key_filepath) {
+			/* set the private key from KeyFile */
+			if (SSL_CTX_use_PrivateKey_file(context->ssl_client_ctx,
+				     info->ssl_private_key_filepath,
+						       SSL_FILETYPE_PEM) != 1) {
+				lwsl_err("use_PrivateKey_file '%s' %lu: %s\n",
+					info->ssl_private_key_filepath,
+					ERR_get_error(),
+					ERR_error_string(ERR_get_error(),
+					      (char *)context->service_buffer));
+				goto bail;
+			}
+
+			/* verify private key */
+			if (!SSL_CTX_check_private_key(context->ssl_client_ctx)) {
+				lwsl_err("Private SSL key doesn't match cert\n");
+				goto bail;
+			}
+		} 
+
 		context->protocols[0].callback(context, NULL,
 			LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS,
 			context->ssl_client_ctx, NULL, 0);