diff --git a/pkg/grpcutil/grpcutil.go b/pkg/grpcutil/grpcutil.go
index f536731ce7f4..ae87244cb3c7 100644
--- a/pkg/grpcutil/grpcutil.go
+++ b/pkg/grpcutil/grpcutil.go
@@ -33,6 +33,7 @@ type SecurityConfig struct {
 	// KeyPath is the path of file that contains X509 key in PEM format.
 	KeyPath        string `toml:"key-path" json:"key-path"`
 	ClientCertAuth bool   `toml:"client-cert-auth" json:"client-cert-auth"`
+	CertAllowedCN  string `toml:"cert-allowed-cn" json:"cert-allowed-cn"`
 }
 
 // ToTLSConfig generatres tls config.
@@ -45,6 +46,7 @@ func (s SecurityConfig) ToTLSConfig() (*tls.Config, error) {
 		KeyFile:        s.KeyPath,
 		TrustedCAFile:  s.CAPath,
 		ClientCertAuth: s.ClientCertAuth,
+		AllowedCN:      s.CertAllowedCN,
 	}
 	tlsConfig, err := tlsInfo.ClientConfig()
 	if err != nil {
diff --git a/server/config/config.go b/server/config/config.go
index 781822faa6eb..704ec6fbe1d1 100644
--- a/server/config/config.go
+++ b/server/config/config.go
@@ -1049,9 +1049,12 @@ func (c *Config) GenEmbedEtcdConfig() (*embed.Config, error) {
 	cfg.ClientTLSInfo.TrustedCAFile = c.Security.CAPath
 	cfg.ClientTLSInfo.CertFile = c.Security.CertPath
 	cfg.ClientTLSInfo.KeyFile = c.Security.KeyPath
+	cfg.ClientTLSInfo.AllowedCN = c.Security.CertAllowedCN
+	cfg.PeerTLSInfo.ClientCertAuth = len(c.Security.CAPath) != 0
 	cfg.PeerTLSInfo.TrustedCAFile = c.Security.CAPath
 	cfg.PeerTLSInfo.CertFile = c.Security.CertPath
 	cfg.PeerTLSInfo.KeyFile = c.Security.KeyPath
+	cfg.PeerTLSInfo.AllowedCN = c.Security.CertAllowedCN
 	cfg.ForceNewCluster = c.ForceNewCluster
 	cfg.ZapLoggerBuilder = embed.NewZapCoreLoggerBuilder(c.logger, c.logger.Core(), c.logProps.Syncer)
 	cfg.EnableGRPCGateway = c.EnableGRPCGateway