diff --git a/etc/emqx.conf b/etc/emqx.conf
index ac082f5bc..16f1eaae3 100644
--- a/etc/emqx.conf
+++ b/etc/emqx.conf
@@ -1085,6 +1085,20 @@ listener.tcp.external.access.1 = allow all
 ## Value: Duration
 ## listener.tcp.external.proxy_protocol_timeout = 3s
 
+## Enable the option for X.509 certificate based authentication.
+## EMQX will use the common name of certificate as MQTT username.
+## 'pem' encodes CRT in base64, and md5 is the md5 hash of CRT.
+##
+## Value: cn | dn | crt | pem | md5
+## listener.tcp.external.peer_cert_as_username = cn
+
+## Enable the option for X.509 certificate based authentication.
+## EMQX will use the common name of certificate as MQTT clientid.
+## 'pem' encodes CRT in base64, and md5 is the md5 hash of CRT.
+##
+## Value: cn | dn | crt | pem | md5
+## listener.tcp.external.peer_cert_as_clientid = cn
+
 ## The TCP backlog defines the maximum length that the queue of pending
 ## connections can grow to.
 ##
diff --git a/priv/emqx.schema b/priv/emqx.schema
index 26d907926..0e933c44f 100644
--- a/priv/emqx.schema
+++ b/priv/emqx.schema
@@ -1211,6 +1211,14 @@ end}.
   {datatype, {duration, ms}}
 ]}.
 
+{mapping, "listener.tcp.$name.peer_cert_as_username", "emqx.listeners", [
+  {datatype, {enum, [cn, dn, crt, pem, md5]}}
+]}.
+
+{mapping, "listener.tcp.$name.peer_cert_as_clientid", "emqx.listeners", [
+  {datatype, {enum, [cn, dn, crt, pem, md5]}}
+]}.
+
 {mapping, "listener.tcp.$name.backlog", "emqx.listeners", [
   {datatype, integer},
   {default, 1024}