diff --git a/src/emqx_channel.erl b/src/emqx_channel.erl
index 50ae41d7b..479d5fa8d 100644
--- a/src/emqx_channel.erl
+++ b/src/emqx_channel.erl
@@ -250,7 +250,9 @@ init(ConnInfo = #{peername := {PeerHost, _Port},
                      is_superuser => false
                     }, Options),
     {NClientInfo, NConnInfo} = take_ws_cookie(ClientInfo, ConnInfo),
-    #channel{conninfo   = NConnInfo,
+    #channel{%% We remove the peercert because it duplicates to what's stored in the socket,
+             %% Saving a copy here causes unnecessary wast of memory (about 1KB per connection).
+             conninfo   = maps:put(peercert, undefined, NConnInfo),
              clientinfo = NClientInfo,
              topic_aliases = #{inbound => #{},
                                outbound => #{}
diff --git a/test/emqx_client_SUITE.erl b/test/emqx_client_SUITE.erl
index c636e03f8..506a7c050 100644
--- a/test/emqx_client_SUITE.erl
+++ b/test/emqx_client_SUITE.erl
@@ -550,4 +550,10 @@ tls_certcn_as_clientid(TLSVsn, RequiredTLSVsn) ->
     {ok, _} = emqtt:connect(Client),
     #{clientinfo := #{clientid := CN}} = emqx_cm:get_chan_info(CN),
     confirm_tls_version( Client, RequiredTLSVsn ),
+    %% verify that the peercert won't be stored in the conninfo
+    [ChannPid] = emqx_cm:lookup_channels(CN),
+    SysState = sys:get_state(ChannPid),
+    ChannelRecord = lists:keyfind(channel, 1, tuple_to_list(SysState)),
+    ConnInfo = lists:nth(2, tuple_to_list(ChannelRecord)),
+    ?assertMatch(#{peercert := undefined}, ConnInfo),
     emqtt:disconnect(Client).