diff --git a/README.lwsws.md b/README.lwsws.md
index 219b6be853b431eb8adcc8407dc6ac08ff283611..8600596eea830c2e625007f93bbfd7883e29f752 100644
--- a/README.lwsws.md
+++ b/README.lwsws.md
@@ -188,6 +188,7 @@ Other vhost options
 
  - "`access-log`": "filepath"   sets where apache-compatible access logs will be written
 
+ - `"enable-client-ssl"`: `"1"` enables the vhost's client SSL context, you will need this if you plan to create client conections on the vhost that will use SSL.  You don't need it if you only want http / ws client connections.
 
 Mounts
 ------
diff --git a/changelog b/changelog
index c135caba5dfb64142beec1cd6a734d65337b688d..d48a7bea3e7c739158800b529679c19f23149223 100644
--- a/changelog
+++ b/changelog
@@ -29,6 +29,12 @@ Fixes
 5) Allow per-vhost setting of which protocol should get used
 when the protocol: header is not sent by the client
 
+New APIs
+--------
+
+1) lws_init_vhost_client_ssl() lets you also enable client SSL context on a
+vhost.
+
 
 v2.0.0
 ======
diff --git a/lib/context.c b/lib/context.c
index 02f18cdd3d5b52eb832564affe32f2bb3ce4b4d2..c75ad50c747ce14c656de0d67ac1e4942d523c02 100644
--- a/lib/context.c
+++ b/lib/context.c
@@ -484,6 +484,43 @@ bail:
 	return NULL;
 }
 
+/**
+ * lws_init_vhost_client_ssl() - also enable client SSL on an existing vhost
+ *
+ * @info: client ssl related info
+ * @vhost: which vhost to initialize client ssl operations on
+ *
+ * You only need to call this if you plan on using SSL client connections on
+ * the vhost.  For non-SSL client connections, it's not necessary to call this.
+ *
+ * The following members of @info are used during the call
+ *
+ *	 - @options must have LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT set,
+ *	     otherwise the call does nothing
+ *	 - @provided_client_ssl_ctx must be NULL to get a generated client
+ *	     ssl context, otherwise you can pass a prepared one in by setting it
+ *	 - @ssl_cipher_list may be NULL or set to the client valid cipher list
+ *	 - @ssl_ca_filepath may be NULL or client cert filepath
+ *	 - @ssl_cert_filepath may be NULL or client cert filepath
+ *	 - @ssl_private_key_filepath may be NULL or client cert private key
+ *
+ * You must create your vhost explicitly if you want to use this, so you have
+ * a pointer to the vhost.  Create the context first with the option flag
+ * LWS_SERVER_OPTION_EXPLICIT_VHOSTS and then call lws_create_vhost() with
+ * the same info struct.
+ */
+LWS_VISIBLE int
+lws_init_vhost_client_ssl(const struct lws_context_creation_info *info,
+			  struct lws_vhost *vhost)
+{
+	struct lws_context_creation_info i;
+
+	memcpy(&i, info, sizeof(i));
+	i.port = CONTEXT_PORT_NO_LISTEN;
+
+	return lws_context_init_client_ssl(&i, vhost);
+}
+
 /**
  * lws_create_context() - Create the websocket handler
  * @info:	pointer to struct with parameters
diff --git a/lib/libwebsockets.h b/lib/libwebsockets.h
index a130e556bf39bf78a489082dbb795b6d0b2dafa9..457f6859f20cbe52259e16e068f8a11c10981e1b 100644
--- a/lib/libwebsockets.h
+++ b/lib/libwebsockets.h
@@ -1631,6 +1631,10 @@ LWS_VISIBLE struct lws_vhost *
 lws_create_vhost(struct lws_context *context,
 		 struct lws_context_creation_info *info);
 
+LWS_VISIBLE int
+lws_init_vhost_client_ssl(const struct lws_context_creation_info *info,
+			  struct lws_vhost *vhost);
+
 LWS_VISIBLE struct lws_vhost *
 lws_vhost_get(struct lws *wsi);
 
diff --git a/lib/ssl-client.c b/lib/ssl-client.c
index 10fe444a3cd4f745d508668f61508b40704ed19a..2798f691312c4213a2eefc6a65776d69cfa96283 100644
--- a/lib/ssl-client.c
+++ b/lib/ssl-client.c
@@ -291,17 +291,17 @@ lws_ssl_client_connect2(struct lws *wsi)
 
 
 int lws_context_init_client_ssl(struct lws_context_creation_info *info,
-			        struct lws_vhost *vhost)
+				struct lws_vhost *vhost)
 {
 #if defined(LWS_USE_POLARSSL)
 	return 0;
 #else
 #if defined(LWS_USE_MBEDTLS)
 #else
-	int error;
-	int n;
 	SSL_METHOD *method;
 	struct lws wsi;
+	int error;
+	int n;
 
 	if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT))
 		return 0;
@@ -311,6 +311,7 @@ int lws_context_init_client_ssl(struct lws_context_creation_info *info,
 		vhost->ssl_client_ctx = info->provided_client_ssl_ctx;
 		/* nothing for lib to delete */
 		vhost->user_supplied_ssl_ctx = 1;
+
 		return 0;
 	}
 
@@ -343,11 +344,10 @@ int lws_context_init_client_ssl(struct lws_context_creation_info *info,
 	}
 
 #ifdef SSL_OP_NO_COMPRESSION
-	SSL_CTX_set_options(vhost->ssl_client_ctx,
-						 SSL_OP_NO_COMPRESSION);
+	SSL_CTX_set_options(vhost->ssl_client_ctx, SSL_OP_NO_COMPRESSION);
 #endif
 	SSL_CTX_set_options(vhost->ssl_client_ctx,
-				       SSL_OP_CIPHER_SERVER_PREFERENCE);
+			    SSL_OP_CIPHER_SERVER_PREFERENCE);
 	if (info->ssl_cipher_list)
 		SSL_CTX_set_cipher_list(vhost->ssl_client_ctx,
 						info->ssl_cipher_list);
diff --git a/lwsws/conf.c b/lwsws/conf.c
index f09d9adabc86c09ead010624b6f6779b67610469..17c2d9db23f79300f4d43e10b7476840bf1d271f 100644
--- a/lwsws/conf.c
+++ b/lwsws/conf.c
@@ -64,6 +64,7 @@ static const char * const paths_vhosts[] = {
 	"vhosts[].ws-protocols[].*",
 	"vhosts[].ws-protocols[]",
 	"vhosts[].keepalive_timeout",
+	"vhosts[].enable-client-ssl",
 };
 
 enum lejp_vhost_paths {
@@ -91,6 +92,7 @@ enum lejp_vhost_paths {
 	LEJPVP_PROTOCOL_NAME,
 	LEJPVP_PROTOCOL,
 	LEJPVP_KEEPALIVE_TIMEOUT,
+	LEJPVP_ENABLE_CLIENT_SSL,
 };
 
 #define MAX_PLUGIN_DIRS 10
@@ -107,6 +109,8 @@ struct jpargs {
 	struct lws_http_mount m;
 	const char **plugin_dirs;
 	int count_plugin_dirs;
+
+	unsigned int enable_client_ssl:1;
 };
 
 static void *
@@ -222,6 +226,7 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason)
 		a->info->log_filepath = NULL;
 		a->info->options &= ~(LWS_SERVER_OPTION_UNIX_SOCK |
 				      LWS_SERVER_OPTION_STS);
+		a->enable_client_ssl = 0;
 	}
 
 	if (reason == LEJPCB_OBJECT_START &&
@@ -251,6 +256,8 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason)
 	    (ctx->path_match == LEJPVP + 1 || !ctx->path[0]) &&
 	    a->valid) {
 
+		struct lws_vhost *vhost;
+
 		//lwsl_notice("%s\n", ctx->path);
 		if (!a->info->port) {
 			lwsl_err("Port required (eg, 443)");
@@ -259,12 +266,19 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason)
 		a->valid = 0;
 		a->info->mounts = a->head;
 
-		if (!lws_create_vhost(a->context, a->info)) {
+		vhost = lws_create_vhost(a->context, a->info);
+		if (!vhost) {
 			lwsl_err("Failed to create vhost %s\n",
 				 a->info->vhost_name);
 			return 1;
 		}
 
+		if (a->enable_client_ssl) {
+			memset(a->info, 0, sizeof(*a->info));
+			a->info->options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
+			lws_init_vhost_client_ssl(a->info, vhost);
+		}
+
 		return 0;
 	}
 
@@ -413,6 +427,9 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason)
 		a->p += snprintf(a->p, a->end - a->p, "%s", ctx->buf);
 		*(a->p)++ = '\0';
 		break;
+	case LEJPVP_ENABLE_CLIENT_SSL:
+		a->enable_client_ssl = arg_to_bool(ctx->buf);
+		return 0;
 
 	default:
 		return 0;