diff --git a/internal/nodes/http_client_pool.go b/internal/nodes/http_client_pool.go
index 9918bc8..9e12d3d 100644
--- a/internal/nodes/http_client_pool.go
+++ b/internal/nodes/http_client_pool.go
@@ -86,11 +86,11 @@ func (this *HTTPClientPool) Client(req *HTTPRequest, origin *serverconfigs.Origi
 	}
 
 	// TLS通讯
-	tlsConfig := &tls.Config{
+	var tlsConfig = &tls.Config{
 		InsecureSkipVerify: true,
 	}
 	if origin.Cert != nil {
-		obj := origin.Cert.CertObject()
+		var obj = origin.Cert.CertObject()
 		if obj != nil {
 			tlsConfig.InsecureSkipVerify = false
 			tlsConfig.Certificates = []tls.Certificate{*obj}
diff --git a/internal/nodes/origin_utils.go b/internal/nodes/origin_utils.go
index ac9e66b..497fc60 100644
--- a/internal/nodes/origin_utils.go
+++ b/internal/nodes/origin_utils.go
@@ -44,10 +44,22 @@ func OriginConnect(origin *serverconfigs.OriginConfig, remoteAddr string) (net.C
 						// TODO 支持TCP4/TCP6
 						// TODO 支持指定特定网卡
 						// TODO Addr支持端口范围，如果有多个端口时，随机一个端口使用
-						// TODO 支持使用证书
-						conn, err = tls.DialWithDialer(&dialer, "tcp", origin.Addr.Host+":"+origin.Addr.PortRange, &tls.Config{
+
+						var tlsConfig = &tls.Config{
 							InsecureSkipVerify: true,
-						})
+						}
+						if origin.Cert != nil {
+							var obj = origin.Cert.CertObject()
+							if obj != nil {
+								tlsConfig.InsecureSkipVerify = false
+								tlsConfig.Certificates = []tls.Certificate{*obj}
+								if len(origin.Cert.ServerName) > 0 {
+									tlsConfig.ServerName = origin.Cert.ServerName
+								}
+							}
+						}
+
+						conn, err = tls.DialWithDialer(&dialer, "tcp", origin.Addr.Host+":"+origin.Addr.PortRange, tlsConfig)
 					}
 
 					// TODO 需要在合适的时机删除TOA记录
@@ -69,10 +81,22 @@ func OriginConnect(origin *serverconfigs.OriginConfig, remoteAddr string) (net.C
 		// TODO 支持TCP4/TCP6
 		// TODO 支持指定特定网卡
 		// TODO Addr支持端口范围，如果有多个端口时，随机一个端口使用
-		// TODO 支持使用证书
-		return tls.Dial("tcp", origin.Addr.Host+":"+origin.Addr.PortRange, &tls.Config{
+
+		var tlsConfig = &tls.Config{
 			InsecureSkipVerify: true,
-		})
+		}
+		if origin.Cert != nil {
+			var obj = origin.Cert.CertObject()
+			if obj != nil {
+				tlsConfig.InsecureSkipVerify = false
+				tlsConfig.Certificates = []tls.Certificate{*obj}
+				if len(origin.Cert.ServerName) > 0 {
+					tlsConfig.ServerName = origin.Cert.ServerName
+				}
+			}
+		}
+
+		return tls.Dial("tcp", origin.Addr.Host+":"+origin.Addr.PortRange, tlsConfig)
 	case serverconfigs.ProtocolUDP:
 		addr, err := net.ResolveUDPAddr("udp", origin.Addr.Host+":"+origin.Addr.PortRange)
 		if err != nil {