diff --git a/apps/emqx/integration_test/emqx_persistent_session_ds_SUITE.erl b/apps/emqx/integration_test/emqx_persistent_session_ds_SUITE.erl
index 4f67443dd..8b0afa0b2 100644
--- a/apps/emqx/integration_test/emqx_persistent_session_ds_SUITE.erl
+++ b/apps/emqx/integration_test/emqx_persistent_session_ds_SUITE.erl
@@ -251,7 +251,7 @@ t_session_subscription_idempotency(Config) ->
 
             ok
         end,
-        fun(Trace) ->
+        fun(_Trace) ->
             Session = session_open(Node1, ClientId),
             ?assertMatch(
                 #{SubTopicFilter := #{}},
@@ -324,7 +324,7 @@ t_session_unsubscription_idempotency(Config) ->
 
             ok
         end,
-        fun(Trace) ->
+        fun(_Trace) ->
             Session = session_open(Node1, ClientId),
             ?assertEqual(
                 #{},
diff --git a/apps/emqx/src/emqx_channel.erl b/apps/emqx/src/emqx_channel.erl
index 968ae22b1..3177c1c11 100644
--- a/apps/emqx/src/emqx_channel.erl
+++ b/apps/emqx/src/emqx_channel.erl
@@ -1738,7 +1738,7 @@ maybe_add_cert(Map, #channel{conninfo = ConnInfo}) ->
     maybe_add_cert(Map, ConnInfo);
 maybe_add_cert(Map, #{peercert := PeerCert}) when is_binary(PeerCert) ->
     %% NOTE: it's raw binary at this point,
-    %% encoding to PEM (base64) is done lazy in emqx_authn_utils:render_var
+    %% encoding to PEM (base64) is done lazy in emqx_auth_utils:render_var
     Map#{cert_pem => PeerCert};
 maybe_add_cert(Map, _) ->
     Map.
diff --git a/apps/emqx_auth/include/emqx_authn.hrl b/apps/emqx_auth/include/emqx_authn.hrl
index a55b9409d..782bfb9ca 100644
--- a/apps/emqx_auth/include/emqx_authn.hrl
+++ b/apps/emqx_auth/include/emqx_authn.hrl
@@ -39,6 +39,7 @@
     ?VAR_PEERHOST,
     ?VAR_CERT_SUBJECT,
     ?VAR_CERT_CN_NAME,
+    ?VAR_CERT_PEM,
     ?VAR_NS_CLIENT_ATTRS
 ]).
 
diff --git a/apps/emqx_auth/src/emqx_auth_utils.erl b/apps/emqx_auth/src/emqx_auth_utils.erl
index 5056999d3..ca8c67a9e 100644
--- a/apps/emqx_auth/src/emqx_auth_utils.erl
+++ b/apps/emqx_auth/src/emqx_auth_utils.erl
@@ -207,6 +207,8 @@ render_var(_, undefined) ->
     % Any allowed but undefined binding will be replaced with empty string, even when
     % rendering SQL values.
     <<>>;
+render_var(?VAR_CERT_PEM, Value) ->
+    base64:encode(Value);
 render_var(?VAR_PEERHOST, Value) ->
     inet:ntoa(Value);
 render_var(?VAR_PASSWORD, Value) ->