diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index 4ab8015fd..2f237d6d4 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -491,6 +491,17 @@ func (n *NGINXController) getBackendServers(ingresses []*ingress.Ingress) ([]*in
 					server.Hostname, ingKey)
 			}
 
+			if server.ProxySSL.CAFileName == "" {
+				server.ProxySSL = anns.ProxySSL
+				if server.ProxySSL.Secret != "" && server.ProxySSL.CAFileName == "" {
+					klog.V(3).Infof("Secret %q has no 'ca.crt' key, client cert authentication disabled for Ingress %q",
+						server.ProxySSL.Secret, ingKey)
+				}
+			} else {
+				klog.V(3).Infof("Server %q is already configured for client cert authentication (Ingress %q)",
+					server.Hostname, ingKey)
+			}
+
 			if rule.HTTP == nil {
 				klog.V(3).Infof("Ingress %q does not contain any HTTP rule, using default backend", ingKey)
 				continue
diff --git a/internal/ingress/controller/store/backend_ssl.go b/internal/ingress/controller/store/backend_ssl.go
index e9fa81b16..4a2f347a3 100644
--- a/internal/ingress/controller/store/backend_ssl.go
+++ b/internal/ingress/controller/store/backend_ssl.go
@@ -104,19 +104,18 @@ func (s *k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error
 			return nil, fmt.Errorf("unexpected error creating SSL Cert: %v", err)
 		}
 
-		path, err := ssl.StoreSSLCertOnDisk(nsSecName, sslCert)
-		if err != nil {
-			return nil, fmt.Errorf("error while storing certificate and key: %v", err)
-		}
-
-		sslCert.PemFileName = path
-
 		if len(ca) > 0 {
 			caCert, err := ssl.CheckCACert(ca)
 			if err != nil {
 				return nil, fmt.Errorf("parsing CA certificate: %v", err)
 			}
 
+			path, err := ssl.StoreSSLCertOnDisk(nsSecName, sslCert)
+			if err != nil {
+				return nil, fmt.Errorf("error while storing certificate and key: %v", err)
+			}
+
+			sslCert.PemFileName = path
 			sslCert.CACertificate = caCert
 			sslCert.CAFileName = path
 			sslCert.CASHA = file.SHA1(path)
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index 289b16c11..fe76aeefb 100755
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -825,8 +825,8 @@ stream {
         {{ end }}
 
         {{ if not (empty $server.ProxySSL.PemFileName) }}
-        proxy_ssl_certificate                   {{ $server.ProxySSL.CAFileName }};
-        proxy_ssl_certificate_key               {{ $server.ProxySSL.CAFileName }};
+        proxy_ssl_certificate                   {{ $server.ProxySSL.PemFileName }};
+        proxy_ssl_certificate_key               {{ $server.ProxySSL.PemFileName }};
         {{ end }}
 
         {{ if not (empty $server.SSLCiphers) }}
@@ -1299,8 +1299,8 @@ stream {
             {{ end }}
 
             {{ if not (empty $location.ProxySSL.PemFileName) }}
-            proxy_ssl_certificate                   {{ $location.ProxySSL.CAFileName }};
-            proxy_ssl_certificate_key               {{ $location.ProxySSL.CAFileName }};
+            proxy_ssl_certificate                   {{ $location.ProxySSL.PemFileName }};
+            proxy_ssl_certificate_key               {{ $location.ProxySSL.PemFileName }};
             {{ end }}
         }
         {{ end }}