diff --git a/pkg/apiserver/handler_proxy.go b/pkg/apiserver/handler_proxy.go
index f6255ea5..3a880b6b 100644
--- a/pkg/apiserver/handler_proxy.go
+++ b/pkg/apiserver/handler_proxy.go
@@ -241,7 +241,10 @@ func (r *proxyHandler) updateAPIService(apiService *apiregistrationv1api.APIServ
 			CAData:     apiService.Spec.CABundle,
 		},
 	}
-	clientConfig.Wrap(x509metrics.NewMissingSANRoundTripperWrapperConstructor(x509MissingSANCounter))
+	clientConfig.Wrap(x509metrics.NewDeprecatedCertificateRoundTripperWrapperConstructor(
+		x509MissingSANCounter,
+		x509InsecureSHA1Counter,
+	))
 
 	newInfo := proxyHandlingInfo{
 		name:             apiService.Name,
diff --git a/pkg/apiserver/metrics.go b/pkg/apiserver/metrics.go
index ba25750e..03315e98 100644
--- a/pkg/apiserver/metrics.go
+++ b/pkg/apiserver/metrics.go
@@ -34,6 +34,19 @@ var x509MissingSANCounter = metrics.NewCounter(
 	},
 )
 
+var x509InsecureSHA1Counter = metrics.NewCounter(
+	&metrics.CounterOpts{
+		Subsystem: "kube_aggregator",
+		Namespace: "apiserver",
+		Name:      "x509_insecure_sha1_total",
+		Help: "Counts the number of requests to servers with insecure SHA1 signatures " +
+			"in their serving certificate OR the number of connection failures " +
+			"due to the insecure SHA1 signatures (either/or, based on the runtime environment)",
+		StabilityLevel: metrics.ALPHA,
+	},
+)
+
 func init() {
 	legacyregistry.MustRegister(x509MissingSANCounter)
+	legacyregistry.MustRegister(x509InsecureSHA1Counter)
 }