diff --git a/.gitignore b/.gitignore
index 101ceae31..20ae8f090 100644
--- a/.gitignore
+++ b/.gitignore
@@ -42,3 +42,4 @@ erlang.mk
 etc/emqx.conf.rendered
 Mnesia.*/
 elvis
+.stamp
diff --git a/etc/emqx.conf b/etc/emqx.conf
index 24a3a3060..c58c66a46 100644
--- a/etc/emqx.conf
+++ b/etc/emqx.conf
@@ -1317,6 +1317,12 @@ listener.ssl.external.access.1 = allow all
 ## Value: Duration
 listener.ssl.external.handshake_timeout = 15s
 
+## Maximum number of non-self-issued intermediate certificates that
+## can follow the peer certificate in a valid certification path.
+##
+## Value: Number
+## listener.ssl.external.depth = 10
+
 ## Path to the file containing the user's private PEM-encoded key.
 ##
 ## See: http://erlang.org/doc/man/ssl.html
diff --git a/priv/emqx.schema b/priv/emqx.schema
index fd5badb68..ccecd8315 100644
--- a/priv/emqx.schema
+++ b/priv/emqx.schema
@@ -1368,6 +1368,11 @@ end}.
   {datatype, {duration, ms}}
 ]}.
 
+{mapping, "listener.ssl.$name.depth", "emqx.listeners", [
+  {default, 10},
+  {datatype, integer}
+]}.
+
 {mapping, "listener.ssl.$name.dhfile", "emqx.listeners", [
   {datatype, string}
 ]}.
@@ -1878,6 +1883,7 @@ end}.
                           {ciphers, Ciphers},
                           {user_lookup_fun, UserLookupFun},
                           {handshake_timeout, cuttlefish:conf_get(Prefix ++ ".handshake_timeout", Conf, undefined)},
+                          {depth, cuttlefish:conf_get(Prefix ++ ".depth", Conf, undefined)},
                           {dhfile, cuttlefish:conf_get(Prefix ++ ".dhfile", Conf, undefined)},
                           {keyfile,    cuttlefish:conf_get(Prefix ++ ".keyfile", Conf, undefined)},
                           {certfile,   cuttlefish:conf_get(Prefix ++ ".certfile", Conf, undefined)},