diff --git a/nginx.py b/nginx.py
index 8a16e3b..d04f44a 100644
--- a/nginx.py
+++ b/nginx.py
@@ -63,9 +63,12 @@ def dump_config(vmList, masterAddress):
     with open("/etc/nginx/nginx.conf", "w") as f:
 
         with open("./config/nginx.json") as j:
+
             nginxJson = json.load(j)
             env = jinja2.Environment(loader=jinja2.FileSystemLoader(searchpath="./templates"))
             template = env.get_template("nginx.conf.j2")
+            mapsTemplate = env.get_template("nginx_maps.j2")
+            nginxJson["maps"] = mapsTemplate.render()
             content = template.render(nginxJson)
 
             f.write(content)
diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2
index 85dc2cf..a3f64f3 100644
--- a/templates/nginx.conf.j2
+++ b/templates/nginx.conf.j2
@@ -11,6 +11,8 @@ events {
 
 http {
 
+    {{ maps }}
+
 	sendfile on;
 	tcp_nopush on;
 	tcp_nodelay on;
diff --git a/templates/nginx_maps.j2 b/templates/nginx_maps.j2
new file mode 100644
index 0000000..30644b3
--- /dev/null
+++ b/templates/nginx_maps.j2
@@ -0,0 +1,10 @@
+map $ssl_client_s_dn $allow_group_main {
+    default "";
+    ~CN=Sheppy2 true;
+    ~CN=Kathi true;
+}
+
+map $ssl_client_s_dn $allow_group_ths {
+    default "";
+    ~OU=THS true;
+}
diff --git a/templates/nginx_server_block.conf.j2 b/templates/nginx_server_block.conf.j2
index 899dd22..57573e0 100644
--- a/templates/nginx_server_block.conf.j2
+++ b/templates/nginx_server_block.conf.j2
@@ -13,6 +13,12 @@ server{
 
     listen 80;
     listen [::]:80;
+
+    {% if cert_optional %}
+    ssl_client_certificate ca_cert.pem;
+    ssl_verify_client optional;
+    ssl_verify_depth 1;
+    {% endif %}
     
     {% if extra_location %}
     location {{ extra_location["location"] }} {
@@ -28,6 +34,7 @@ server{
         proxy_pass http://{{ targetip }}:{{ targetport }};
         proxy_set_header Host $http_host;
         {{ proxy_pass_blob }}
+        {{ cert_header_line }}
         {% if basicauth %}
         auth_basic "{{ basicauth }}";
         auth_basic_user_file /etc/nginx/{{ basicauth }}.htpasswd;
diff --git a/vm.py b/vm.py
index 206dca9..5357528 100644
--- a/vm.py
+++ b/vm.py
@@ -134,11 +134,23 @@ class VM:
 
             compositeName = "-".join((self.hostname, subdomain["name"].replace(".","-")))
             targetport = subdomain.get("port") or 80
+            
+            # build cert group #
+            if subdomain.get("cert-group"):
+                cert_group_name = subdomain.get("cert-group")
+                header_line = "proxy_set_header X-Nginx-Cert-Auth $allow_group_{};".format(cert_group_name)
+                cert_optional = True
+            else:
+                header_line = "proxy_set_header X-Nginx-Cert-Auth false;"
+                cert_optional = False
+
             component = template.render(targetip=self.ip, targetport=targetport, 
                             servernames=[subdomain["name"]], comment=compositeName,
                             proxy_pass_blob=self.proxy_pass_blob, acme=not self.noTerminateACME,
                             basicauth=subdomain.get("basicauth"),
-                            extra_location=subdomain.get("extra-location"))
+                            extra_location=subdomain.get("extra-location"),
+                            cert_optional=cert_optional,
+                            cert_header_line=header_line)
             components.append(component)
 
         return components