diff --git a/docs/user-guide/annotations.md b/docs/user-guide/annotations.md
index 17dfcca5a..70c517a7c 100644
--- a/docs/user-guide/annotations.md
+++ b/docs/user-guide/annotations.md
@@ -14,6 +14,7 @@ The following annotations are supported:
 |[ingress.kubernetes.io/auth-tls-verify-depth](#certificate-authentication)|number|
 |[ingress.kubernetes.io/auth-tls-verify-client](#certificate-authentication)|string|
 |[ingress.kubernetes.io/auth-tls-error-page](#certificate-authentication)|string|
+|[ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream](#certificate-authentication)|string|
 |[ingress.kubernetes.io/auth-url](#external-authentication)|string|
 |[ingress.kubernetes.io/base-url-scheme](#rewrite)|string|
 |[ingress.kubernetes.io/client-body-buffer-size](#client-body-buffer-size)|string|
@@ -149,6 +150,13 @@ ingress.kubernetes.io/auth-tls-error-page
 
 The URL/Page that user should be redirected in case of a Certificate Authentication Error
 
+```
+ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream
+```
+
+Indicates if the received certificates should be passed or not to the upstream server.
+By default this is disabled.
+
 Please check the [tls-auth](../examples/auth/client-certs/README.md) example.
 
 **Important:**
diff --git a/internal/ingress/annotations/authtls/main.go b/internal/ingress/annotations/authtls/main.go
index 7fa511873..59862f159 100644
--- a/internal/ingress/annotations/authtls/main.go
+++ b/internal/ingress/annotations/authtls/main.go
@@ -41,9 +41,10 @@ var (
 // and the configured ValidationDepth
 type Config struct {
 	resolver.AuthSSLCert
-	VerifyClient    string `json:"verify_client"`
-	ValidationDepth int    `json:"validationDepth"`
-	ErrorPage       string `json:"errorPage"`
+	VerifyClient       string `json:"verify_client"`
+	ValidationDepth    int    `json:"validationDepth"`
+	ErrorPage          string `json:"errorPage"`
+	PassCertToUpstream bool   `json:"passCertToUpstream"`
 }
 
 // Equal tests for equality between two Config types
@@ -66,6 +67,10 @@ func (assl1 *Config) Equal(assl2 *Config) bool {
 	if assl1.ErrorPage != assl2.ErrorPage {
 		return false
 	}
+	if assl1.PassCertToUpstream != assl2.PassCertToUpstream {
+		return false
+	}
+
 	return true
 }
 
@@ -118,10 +123,16 @@ func (a authTLS) Parse(ing *extensions.Ingress) (interface{}, error) {
 		errorpage = ""
 	}
 
+	passCert, err := parser.GetBoolAnnotation("auth-tls-pass-certificate-to-upstream", ing, a.r)
+	if err != nil {
+		passCert = false
+	}
+
 	return &Config{
-		AuthSSLCert:     *authCert,
-		VerifyClient:    tlsVerifyClient,
-		ValidationDepth: tlsdepth,
-		ErrorPage:       errorpage,
+		AuthSSLCert:        *authCert,
+		VerifyClient:       tlsVerifyClient,
+		ValidationDepth:    tlsdepth,
+		ErrorPage:          errorpage,
+		PassCertToUpstream: passCert,
 	}, nil
 }
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index 9bdaffdb5..a8b32429b 100644
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -756,7 +756,11 @@ stream {
 
             # Pass the extracted client certificate to the backend
             {{ if not (empty $server.CertificateAuth.CAFileName) }}
+            {{ if $server.CertificateAuth.PassCertToUpstream }}
             proxy_set_header ssl-client-cert        $ssl_client_raw_cert;
+            {{ else }}
+            proxy_set_header ssl-client-cert        "";
+            {{ end }}
             proxy_set_header ssl-client-verify      $ssl_client_verify;
             proxy_set_header ssl-client-dn          $ssl_client_s_dn;
             {{ else }}