diff --git a/logtracker/journal/views.py b/logtracker/journal/views.py
index 230c456..8c20125 100644
--- a/logtracker/journal/views.py
+++ b/logtracker/journal/views.py
@@ -80,6 +80,10 @@ def ssl_client_verify(view):
                 request.host_verified = cn
             else:
                 request.host_verified = dn.split(',')[0].split('=')[1]
+            if settings.CA_ISSUER:
+                ca_issuer = headers.get('HTTP_X_SSL_ISSUER')
+                if ca_issuer != settings.CA_ISSUER:
+                    raise PermissionDenied
         else:
             if settings.DEBUG:
                 request.host_verified = 'test_host'
diff --git a/logtracker/settings.py b/logtracker/settings.py
index bcb17c7..4892200 100644
--- a/logtracker/settings.py
+++ b/logtracker/settings.py
@@ -26,6 +26,7 @@ DEBUG = False
 
 ALLOWED_HOSTS = []
 
+CA_ISSUER = None  # dn of the trusted ca certificate; None means all (depending on the underlying haproxy/nginx configuration)
 JOURNAL_HISTORY = 7
 MAIL_HISTORY = 7