diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index ab7b919ad..4ab8015fd 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -491,17 +491,6 @@ func (n *NGINXController) getBackendServers(ingresses []*ingress.Ingress) ([]*in
 					server.Hostname, ingKey)
 			}
 
-			if server.ProxySSL.CAFileName == "" {
-				server.ProxySSL = anns.ProxySSL
-				if server.ProxySSL.Secret != "" && server.ProxySSL.CAFileName == "" {
-					klog.V(3).Infof("Secret %q has no 'ca.crt' key, client cert authentication disabled for Ingress %q",
-						server.ProxySSL.Secret, ingKey)
-				}
-			} else {
-				klog.V(3).Infof("Server %q is already configured for client cert authentication (Ingress %q)",
-					server.Hostname, ingKey)
-			}
-
 			if rule.HTTP == nil {
 				klog.V(3).Infof("Ingress %q does not contain any HTTP rule, using default backend", ingKey)
 				continue
@@ -1170,6 +1159,7 @@ func locationApplyAnnotations(loc *ingress.Location, anns *annotations.Ingress)
 	loc.EnableGlobalAuth = anns.EnableGlobalAuth
 	loc.HTTP2PushPreload = anns.HTTP2PushPreload
 	loc.Proxy = anns.Proxy
+	loc.ProxySSL = anns.ProxySSL
 	loc.RateLimit = anns.RateLimit
 	loc.Redirect = anns.Redirect
 	loc.Rewrite = anns.Rewrite
diff --git a/internal/ingress/controller/store/backend_ssl.go b/internal/ingress/controller/store/backend_ssl.go
index 4638343cd..e9fa81b16 100644
--- a/internal/ingress/controller/store/backend_ssl.go
+++ b/internal/ingress/controller/store/backend_ssl.go
@@ -104,17 +104,19 @@ func (s *k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error
 			return nil, fmt.Errorf("unexpected error creating SSL Cert: %v", err)
 		}
 
+		path, err := ssl.StoreSSLCertOnDisk(nsSecName, sslCert)
+		if err != nil {
+			return nil, fmt.Errorf("error while storing certificate and key: %v", err)
+		}
+
+		sslCert.PemFileName = path
+
 		if len(ca) > 0 {
 			caCert, err := ssl.CheckCACert(ca)
 			if err != nil {
 				return nil, fmt.Errorf("parsing CA certificate: %v", err)
 			}
 
-			path, err := ssl.StoreSSLCertOnDisk(nsSecName, sslCert)
-			if err != nil {
-				return nil, fmt.Errorf("error while storing certificate and key: %v", err)
-			}
-
 			sslCert.CACertificate = caCert
 			sslCert.CAFileName = path
 			sslCert.CASHA = file.SHA1(path)
diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go
index 7b9233c59..f516d0a74 100644
--- a/internal/ingress/controller/store/store.go
+++ b/internal/ingress/controller/store/store.go
@@ -843,6 +843,7 @@ func (s *k8sStore) GetAuthCertificate(name string) (*resolver.AuthSSLCert, error
 		CASHA:       cert.CASHA,
 		CRLFileName: cert.CRLFileName,
 		CRLSHA:      cert.CRLSHA,
+		PemFileName: cert.PemFileName,
 	}, nil
 }
 
diff --git a/internal/ingress/resolver/main.go b/internal/ingress/resolver/main.go
index 4581143a5..e05a2aaae 100644
--- a/internal/ingress/resolver/main.go
+++ b/internal/ingress/resolver/main.go
@@ -56,6 +56,8 @@ type AuthSSLCert struct {
 	CRLFileName string `json:"crlFileName"`
 	// CRLSHA contains the SHA1 hash of the 'ca.crl' file
 	CRLSHA string `json:"crlSha"`
+	// PemFileName contains the path to the secrets 'tls.crt' and 'tls.key'
+	PemFileName string `json:"pemFilename"`
 }
 
 // Equal tests for equality between two AuthSSLCert types
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index 2b646cd71..289b16c11 100755
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -817,8 +817,6 @@ stream {
 
         {{ if not (empty $server.ProxySSL.CAFileName) }}
         # PEM sha: {{ $server.ProxySSL.CASHA }}
-        proxy_ssl_certificate                   {{ $server.ProxySSL.CAFileName }};
-        proxy_ssl_certificate_key               {{ $server.ProxySSL.CAFileName }};
         proxy_ssl_trusted_certificate           {{ $server.ProxySSL.CAFileName }};
         proxy_ssl_ciphers                       {{ $server.ProxySSL.Ciphers }};
         proxy_ssl_protocols                     {{ $server.ProxySSL.Protocols }};
@@ -826,6 +824,11 @@ stream {
         proxy_ssl_verify_depth                  {{ $server.ProxySSL.VerifyDepth }};
         {{ end }}
 
+        {{ if not (empty $server.ProxySSL.PemFileName) }}
+        proxy_ssl_certificate                   {{ $server.ProxySSL.CAFileName }};
+        proxy_ssl_certificate_key               {{ $server.ProxySSL.CAFileName }};
+        {{ end }}
+
         {{ if not (empty $server.SSLCiphers) }}
         ssl_ciphers                             {{ $server.SSLCiphers }};
         {{ end }}
@@ -1286,6 +1289,19 @@ stream {
             # Location denied. Reason: {{ $location.Denied | quote }}
             return 503;
             {{ end }}
+            {{ if not (empty $location.ProxySSL.CAFileName) }}
+            # PEM sha: {{ $location.ProxySSL.CASHA }}
+            proxy_ssl_trusted_certificate           {{ $location.ProxySSL.CAFileName }};
+            proxy_ssl_ciphers                       {{ $location.ProxySSL.Ciphers }};
+            proxy_ssl_protocols                     {{ $location.ProxySSL.Protocols }};
+            proxy_ssl_verify                        {{ $location.ProxySSL.Verify }};
+            proxy_ssl_verify_depth                  {{ $location.ProxySSL.VerifyDepth }};
+            {{ end }}
+
+            {{ if not (empty $location.ProxySSL.PemFileName) }}
+            proxy_ssl_certificate                   {{ $location.ProxySSL.CAFileName }};
+            proxy_ssl_certificate_key               {{ $location.ProxySSL.CAFileName }};
+            {{ end }}
         }
         {{ end }}
         {{ end }}