diff --git a/config.cfg b/config.cfg
index 5fc05cfd36e6d4bcef32e1940e9a4f4bb002d952..180bf654ae409f5f7b972494dec017d9c3185012 100644
--- a/config.cfg
+++ b/config.cfg
@@ -41,6 +41,8 @@ tls = "letsencryptstaging"
 # only used if tls = "cert"
 tls_cert_privkey = "/etc/tls/example.org/privkey.pem"
 tls_cert_fullchain = "/etc/tls/example.org/fullchain.pem"
+# Used for client cert validation
+tls_client_ca = "/home/mio/certificates/acme/pki/ca.crt"
 # only used if tls = "letsencrypt"
 acme_cache_dir = "api-certs"
 # optional e-mail address to which Let's Encrypt will send expiration notices for the API's cert
diff --git a/main.go b/main.go
index 3c7ff6f9a5532953f4e8910fe7e8fe646489b1f4..03c168b6cf790c30823a1fc23a5ba9fd244d0f83 100644
--- a/main.go
+++ b/main.go
@@ -6,7 +6,9 @@ package main
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"flag"
+	"io/ioutil"
 	stdlog "log"
 	"net/http"
 	"os"
@@ -90,7 +92,7 @@ func main() {
 	}
 
 	// HTTP API
-	go startHTTPAPI(errChan, Config, dnsservers)
+	go startHTTPAPI(errChan, Config, dnsservers, Config.API.TLSClientCA)
 
 	// block waiting for error
 	for {
@@ -101,7 +103,7 @@ func main() {
 	}
 }
 
-func startHTTPAPI(errChan chan error, config DNSConfig, dnsservers []*DNSServer) {
+func startHTTPAPI(errChan chan error, config DNSConfig, dnsservers []*DNSServer, ca string) {
 	// Setup http logger
 	logger := log.New()
 	logwriter := logger.Writer()
@@ -131,9 +133,20 @@ func startHTTPAPI(errChan chan error, config DNSConfig, dnsservers []*DNSServer)
 
 	host := Config.API.IP + ":" + Config.API.Port
 
+	caCerts := x509.NewCertPool()
+	clientCertPEM, certErr := ioutil.ReadFile(ca)
+	if certErr != nil {
+		return
+	}
+	ok := caCerts.AppendCertsFromPEM(clientCertPEM)
+	if !ok {
+		panic("failed to parse root certificate")
+	}
 	// TLS specific general settings
 	cfg := &tls.Config{
 		MinVersion: tls.VersionTLS12,
+		ClientAuth: tls.RequireAndVerifyClientCert,
+		ClientCAs:  caCerts,
 	}
 	provider := NewChallengeProvider(dnsservers)
 	storage := certmagic.FileStorage{Path: Config.API.ACMECacheDir}
diff --git a/types.go b/types.go
index 05bf7ad5d733e693d9339bc743e10d4bbcabf821..04bdb956e33f3066000a82de011d383e5ae35d9b 100644
--- a/types.go
+++ b/types.go
@@ -47,6 +47,7 @@ type httpapi struct {
 	TLS                 string
 	TLSCertPrivkey      string `toml:"tls_cert_privkey"`
 	TLSCertFullchain    string `toml:"tls_cert_fullchain"`
+	TLSClientCA         string `toml:"tls_client_ca"`
 	ACMECacheDir        string `toml:"acme_cache_dir"`
 	NotificationEmail   string `toml:"notification_email"`
 	CorsOrigins         []string
@@ -64,7 +65,7 @@ type logconfig struct {
 
 type acmedb struct {
 	Mutex sync.Mutex
-	DB *sql.DB
+	DB    *sql.DB
 }
 
 type database interface {