diff --git a/modules/caddyhttp/replacer.go b/modules/caddyhttp/replacer.go
index 3f4a808e..3993433a 100644
--- a/modules/caddyhttp/replacer.go
+++ b/modules/caddyhttp/replacer.go
@@ -25,6 +25,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/asn1"
+	"encoding/pem"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -343,6 +344,9 @@ func getReqTLSReplacement(req *http.Request, key string) (interface{}, bool) {
 			return cert.SerialNumber, true
 		case "client.subject":
 			return cert.Subject, true
+		case "client.certificate_pem":
+			block := pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}
+			return pem.EncodeToMemory(&block), true
 		default:
 			return nil, false
 		}
diff --git a/modules/caddyhttp/replacer_test.go b/modules/caddyhttp/replacer_test.go
index 49167ee5..486a8e3c 100644
--- a/modules/caddyhttp/replacer_test.go
+++ b/modules/caddyhttp/replacer_test.go
@@ -171,6 +171,10 @@ eqp31wM9il1n+guTNyxJd+FzVAH+hCZE5K+tCgVDdVFUlDEHHbS/wqb2PSIoouLV
 			input:  "{http.request.tls.client.san.ips.0}",
 			expect: "127.0.0.1",
 		},
+		{
+			input:  "{http.request.tls.client.certificate_pem}",
+			expect: string(clientCert) + "\n",  // returned value comes with a newline appended to it
+		},
 	} {
 		actual := repl.ReplaceAll(tc.input, "<empty>")
 		if actual != tc.expect {