diff --git a/doc/proxy-protocol.txt b/doc/proxy-protocol.txt
index fe96d3b13..2c5cfae96 100644
--- a/doc/proxy-protocol.txt
+++ b/doc/proxy-protocol.txt
@@ -30,6 +30,7 @@ Revision history
    2020/03/05 - added the unique ID TLV type (Tim Düsterhus)
    2025/09/09 - added SSL-related TLVs for key exchange group and signature
                 scheme (Steven Collison)
+   2026/01/15 - added SSL client certificate TLV (Simon Ser)
 
 1. Background
 
@@ -536,20 +537,21 @@ the information they choose to publish.
 
 The following types have already been registered for the <type> field :
 
-        #define PP2_TYPE_ALPN              0x01
-        #define PP2_TYPE_AUTHORITY         0x02
-        #define PP2_TYPE_CRC32C            0x03
-        #define PP2_TYPE_NOOP              0x04
-        #define PP2_TYPE_UNIQUE_ID         0x05
-        #define PP2_TYPE_SSL               0x20
-        #define PP2_SUBTYPE_SSL_VERSION    0x21
-        #define PP2_SUBTYPE_SSL_CN         0x22
-        #define PP2_SUBTYPE_SSL_CIPHER     0x23
-        #define PP2_SUBTYPE_SSL_SIG_ALG    0x24
-        #define PP2_SUBTYPE_SSL_KEY_ALG    0x25
-        #define PP2_SUBTYPE_SSL_GROUP      0x26
-        #define PP2_SUBTYPE_SSL_SIG_SCHEME 0x27
-        #define PP2_TYPE_NETNS             0x30
+        #define PP2_TYPE_ALPN               0x01
+        #define PP2_TYPE_AUTHORITY          0x02
+        #define PP2_TYPE_CRC32C             0x03
+        #define PP2_TYPE_NOOP               0x04
+        #define PP2_TYPE_UNIQUE_ID          0x05
+        #define PP2_TYPE_SSL                0x20
+        #define PP2_SUBTYPE_SSL_VERSION     0x21
+        #define PP2_SUBTYPE_SSL_CN          0x22
+        #define PP2_SUBTYPE_SSL_CIPHER      0x23
+        #define PP2_SUBTYPE_SSL_SIG_ALG     0x24
+        #define PP2_SUBTYPE_SSL_KEY_ALG     0x25
+        #define PP2_SUBTYPE_SSL_GROUP       0x26
+        #define PP2_SUBTYPE_SSL_SIG_SCHEME  0x27
+        #define PP2_SUBTYPE_SSL_CLIENT_CERT 0x28
+        #define PP2_TYPE_NETNS              0x30
 
 
 2.2.1 PP2_TYPE_ALPN
@@ -672,6 +674,10 @@ The second level TLV PP2_SUBTYPE_SSL_SIG_SCHEME provides the US-ASCII string
 name of the algorithm the frontend used to sign the ServerKeyExchange or
 CertificateVerify message, for example "rsa_pss_rsae_sha256".
 
+The optional second level TLV PP2_SUBTYPE_SSL_CLIENT_CERT provides the raw
+X.509 client certificate encoded in ASN.1 DER. The frontend may choose to omit
+this TLV depending on configuration.
+
 In all cases, the string representation (in UTF8) of the Common Name field
 (OID: 2.5.4.3) of the client certificate's Distinguished Name, is appended
 using the TLV format and the type PP2_SUBTYPE_SSL_CN. E.g. "example.com".