diff --git a/config/envoyconfig/lua.go b/config/envoyconfig/lua.go
index bd3bbb701..178917a61 100644
--- a/config/envoyconfig/lua.go
+++ b/config/envoyconfig/lua.go
@@ -9,18 +9,20 @@ import (
 var luaFS embed.FS
 
 var luascripts struct {
-	ExtAuthzSetCookie        string
-	CleanUpstream            string
-	RemoveImpersonateHeaders string
-	RewriteHeaders           string
+	ExtAuthzSetCookie            string
+	CleanUpstream                string
+	RemoveImpersonateHeaders     string
+	RewriteHeaders               string
+	SetClientCertificateMetadata string
 }
 
 func init() {
 	fileToField := map[string]*string{
-		"luascripts/clean-upstream.lua":             &luascripts.CleanUpstream,
-		"luascripts/ext-authz-set-cookie.lua":       &luascripts.ExtAuthzSetCookie,
-		"luascripts/remove-impersonate-headers.lua": &luascripts.RemoveImpersonateHeaders,
-		"luascripts/rewrite-headers.lua":            &luascripts.RewriteHeaders,
+		"luascripts/clean-upstream.lua":                  &luascripts.CleanUpstream,
+		"luascripts/ext-authz-set-cookie.lua":            &luascripts.ExtAuthzSetCookie,
+		"luascripts/remove-impersonate-headers.lua":      &luascripts.RemoveImpersonateHeaders,
+		"luascripts/rewrite-headers.lua":                 &luascripts.RewriteHeaders,
+		"luascripts/set-client-certificate-metadata.lua": &luascripts.SetClientCertificateMetadata,
 	}
 
 	err := fs.WalkDir(luaFS, "luascripts", func(p string, d fs.DirEntry, err error) error {
diff --git a/config/envoyconfig/luascripts/set-client-certificate-metadata.lua b/config/envoyconfig/luascripts/set-client-certificate-metadata.lua
new file mode 100644
index 000000000..670fb6a0a
--- /dev/null
+++ b/config/envoyconfig/luascripts/set-client-certificate-metadata.lua
@@ -0,0 +1,14 @@
+function envoy_on_request(request_handle)
+    local metadata = request_handle:streamInfo():dynamicMetadata()
+    local ssl = request_handle:streamInfo():downstreamSslConnection()
+    metadata:set("com.pomerium.client-certificate-info", "presented",
+                 ssl:peerCertificatePresented())
+    local validated = ssl:peerCertificateValidated()
+    metadata:set("com.pomerium.client-certificate-info", "validated", validated)
+    if validated then
+        metadata:set("com.pomerium.client-certificate-info", "chain",
+                     ssl:urlEncodedPemEncodedPeerCertificateChain())
+    end
+end
+
+function envoy_on_response(response_handle) end