diff --git a/pkg/serverconfigs/sslconfigs/ssl_cert_config.go b/pkg/serverconfigs/sslconfigs/ssl_cert_config.go
index fdbaa10..c2a48d2 100644
--- a/pkg/serverconfigs/sslconfigs/ssl_cert_config.go
+++ b/pkg/serverconfigs/sslconfigs/ssl_cert_config.go
@@ -35,6 +35,7 @@ type SSLCertConfig struct {
 	OCSPError     string `yaml:"ocspError" json:"ocspError"`
 
 	cert      *tls.Certificate
+	caCerts   []*x509.Certificate
 	timeBegin time.Time
 	timeEnd   time.Time
 }
@@ -44,6 +45,8 @@ func (this *SSLCertConfig) Init() error {
 	var commonNames []string // 发行组织
 	var dnsNames []string    // 域名
 
+	this.caCerts = []*x509.Certificate{}
+
 	// 分析证书
 	if this.IsCA { // CA证书
 		var data = this.CertData
@@ -68,6 +71,7 @@ func (this *SSLCertConfig) Init() error {
 			if c == nil {
 				return errors.New("no available certificates in file")
 			}
+			this.caCerts = append(this.caCerts, c)
 
 			for _, dnsName := range c.DNSNames {
 				if !lists.ContainsString(dnsNames, dnsName) {
@@ -141,6 +145,10 @@ func (this *SSLCertConfig) CertObject() *tls.Certificate {
 	return this.cert
 }
 
+func (this *SSLCertConfig) CACerts() []*x509.Certificate {
+	return this.caCerts
+}
+
 // TimeBegin 开始时间
 func (this *SSLCertConfig) TimeBegin() time.Time {
 	return this.timeBegin
diff --git a/pkg/serverconfigs/sslconfigs/ssl_policy.go b/pkg/serverconfigs/sslconfigs/ssl_policy.go
index ac57b9c..79daf75 100644
--- a/pkg/serverconfigs/sslconfigs/ssl_policy.go
+++ b/pkg/serverconfigs/sslconfigs/ssl_policy.go
@@ -71,6 +71,8 @@ func (this *SSLPolicy) Init() error {
 	}
 
 	// CA certs
+	this.clientCAPool = x509.NewCertPool()
+
 	for _, cert := range this.ClientCACerts {
 		err := cert.Init()
 		if err != nil {
@@ -80,6 +82,10 @@ func (this *SSLPolicy) Init() error {
 		for _, dnsName := range cert.DNSNames {
 			this.nameMapping[dnsName] = cert.CertObject()
 		}
+
+		for _, caCert := range cert.CACerts() {
+			this.clientCAPool.AddCert(caCert)
+		}
 	}
 
 	// min version