diff --git a/src/Servers/Kestrel/Core/src/Internal/ConfigurationReader.cs b/src/Servers/Kestrel/Core/src/Internal/ConfigurationReader.cs
index 259f2c61b681..57c75c614e1e 100644
--- a/src/Servers/Kestrel/Core/src/Internal/ConfigurationReader.cs
+++ b/src/Servers/Kestrel/Core/src/Internal/ConfigurationReader.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -15,17 +15,32 @@ internal class ConfigurationReader
         private const string EndpointDefaultsKey = "EndpointDefaults";
         private const string EndpointsKey = "Endpoints";
         private const string UrlKey = "Url";
+        private const string ClientCertificateModeKey = "ClientCertificateMode";
 
         private IConfiguration _configuration;
         private IDictionary<string, CertificateConfig> _certificates;
         private IList<EndpointConfig> _endpoints;
         private EndpointDefaults _endpointDefaults;
-
+        private string _clientCertificateMode;
         public ConfigurationReader(IConfiguration configuration)
         {
             _configuration = configuration ?? throw new ArgumentNullException(nameof(configuration));
         }
 
+
+        public string ClientCertificateMode
+        {
+            get
+            {
+                if (string.IsNullOrEmpty(_clientCertificateMode))
+                {
+                    ReadClientCertificateMode();
+                }
+                return _clientCertificateMode;
+            }
+        }
+
+
         public IDictionary<string, CertificateConfig> Certificates
         {
             get
@@ -65,6 +80,10 @@ public IEnumerable<EndpointConfig> Endpoints
             }
         }
 
+        private void ReadClientCertificateMode()
+        {
+            _clientCertificateMode = _configuration[ClientCertificateModeKey];
+        }
         private void ReadCertificates()
         {
             _certificates = new Dictionary<string, CertificateConfig>(0);
@@ -121,8 +140,8 @@ private void ReadEndpoints()
                 _endpoints.Add(endpoint);
             }
         }
-
-        private static HttpProtocols? ParseProtocols(string protocols)
+       
+    private static HttpProtocols? ParseProtocols(string protocols)
         {
             if (Enum.TryParse<HttpProtocols>(protocols, ignoreCase: true, out var result))
             {
diff --git a/src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs b/src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs
index 4522fedd6293..41754363867b 100644
--- a/src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs
+++ b/src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs
@@ -244,6 +244,7 @@ public void Load()
                     // Specified
                     httpsOptions.ServerCertificate = LoadCertificate(endpoint.Certificate, endpoint.Name)
                         ?? httpsOptions.ServerCertificate;
+                    httpsOptions.ClientCertificateMode = LoadClientCertificateMode(ConfigurationReader) ?? httpsOptions.ClientCertificateMode;
 
                     // Fallback
                     Options.ApplyDefaultCert(httpsOptions);
@@ -275,6 +276,15 @@ public void Load()
             }
         }
 
+        private ClientCertificateMode? LoadClientCertificateMode(ConfigurationReader configReader)
+        {
+            if (Enum.TryParse<ClientCertificateMode>(configReader.ClientCertificateMode, ignoreCase: true, out var clientCertificateMode))
+            {
+                return clientCertificateMode;
+            }
+            return null;
+        }
+
         private void LoadDefaultCert(ConfigurationReader configReader)
         {
             if (configReader.Certificates.TryGetValue("Default", out var defaultCertConfig))
diff --git a/src/Servers/Kestrel/Kestrel/test/ConfigurationReaderTests.cs b/src/Servers/Kestrel/Kestrel/test/ConfigurationReaderTests.cs
index a8b36b29f3bd..d37026d52dd8 100644
--- a/src/Servers/Kestrel/Kestrel/test/ConfigurationReaderTests.cs
+++ b/src/Servers/Kestrel/Kestrel/test/ConfigurationReaderTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -12,6 +12,28 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Tests
 {
     public class ConfigurationReaderTests
     {
+        
+        [Fact]
+        public void ReadClientCertificateMode_ReturnsValue()
+        {
+            var config = new ConfigurationBuilder().AddInMemoryCollection(
+                new[]
+            {
+                new KeyValuePair<string, string>("ClientCertificateMode", "AllowCertificate")
+                }
+                ).Build();
+            var reader = new ConfigurationReader(config);
+            var clientCertificateMode = reader.ClientCertificateMode;
+            Assert.NotNull(clientCertificateMode);
+        }
+        [Fact]
+        public void ReadClientCertificateModeWhenNoClientCertificateMode_ReturnsNull()
+        {
+            var config = new ConfigurationBuilder().AddInMemoryCollection().Build();
+            var reader = new ConfigurationReader(config);
+            var clientCertificateMode = reader.ClientCertificateMode;
+            Assert.Null(clientCertificateMode);
+        }
         [Fact]
         public void ReadCertificatesWhenNoCertificatesSection_ReturnsEmptyCollection()
         {