diff --git a/agent/middleware/certificate.go b/agent/middleware/certificate.go
index 875d5d595..1a96426fa 100644
--- a/agent/middleware/certificate.go
+++ b/agent/middleware/certificate.go
@@ -1,13 +1,15 @@
 package middleware
 
 import (
-	"errors"
 	"fmt"
+	"net"
+	"net/http"
 	"strings"
 
 	"github.com/1Panel-dev/1Panel/agent/app/api/v2/helper"
 	"github.com/1Panel-dev/1Panel/agent/global"
 	"github.com/1Panel-dev/1Panel/agent/utils/cmd"
+	"github.com/1Panel-dev/1Panel/agent/utils/xpack"
 	"github.com/gin-gonic/gin"
 )
 
@@ -17,13 +19,8 @@ func Certificate() gin.HandlerFunc {
 			c.Next()
 			return
 		}
-		if !c.Request.TLS.HandshakeComplete || len(c.Request.TLS.PeerCertificates) == 0 {
-			helper.InternalServer(c, errors.New("no such tls peer certificates"))
-			return
-		}
-		cert := c.Request.TLS.PeerCertificates[0]
-		if cert.Subject.CommonName != "panel_client" {
-			helper.InternalServer(c, fmt.Errorf("err certificate"))
+		if !xpack.ValidateCertificate(c) {
+			CloseDirectly(c)
 			return
 		}
 		conn := c.Request.Header.Get("Connection")
@@ -40,3 +37,18 @@ func Certificate() gin.HandlerFunc {
 		c.Next()
 	}
 }
+
+func CloseDirectly(c *gin.Context) {
+	hijacker, ok := c.Writer.(http.Hijacker)
+	if !ok {
+		c.AbortWithStatus(http.StatusForbidden)
+		return
+	}
+	conn, _, err := hijacker.Hijack()
+	if err != nil {
+		c.AbortWithStatus(http.StatusForbidden)
+		return
+	}
+	_ = conn.(*net.TCPConn).SetLinger(0)
+	conn.Close()
+}
diff --git a/agent/server/server.go b/agent/server/server.go
index 3cd9e9853..5487a6594 100644
--- a/agent/server/server.go
+++ b/agent/server/server.go
@@ -2,6 +2,7 @@ package server
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net"
 	"net/http"
@@ -78,9 +79,17 @@ func Start() {
 			fmt.Printf("failed to load X.509 key pair: %s\n", err)
 			return
 		}
+
 		server.TLSConfig = &tls.Config{
 			Certificates: []tls.Certificate{tlsCert},
-			ClientAuth:   tls.RequireAnyClientCert,
+			ClientAuth:   tls.RequireAndVerifyClientCert,
+		}
+		caItem, _ := settingRepo.GetValueByKey("RootCrt")
+		if len(caItem) != 0 {
+			caCertPool := x509.NewCertPool()
+			rootCrt, _ := encrypt.StringDecrypt(caItem)
+			caCertPool.AppendCertsFromPEM([]byte(rootCrt))
+			server.TLSConfig.ClientCAs = caCertPool
 		}
 		business.Init()
 		global.LOG.Infof("listen at https://0.0.0.0:%s", global.CONF.Base.Port)
diff --git a/agent/utils/xpack/xpack.go b/agent/utils/xpack/xpack.go
index f3911c85e..798eb8bb7 100644
--- a/agent/utils/xpack/xpack.go
+++ b/agent/utils/xpack/xpack.go
@@ -15,6 +15,7 @@ import (
 	"github.com/1Panel-dev/1Panel/agent/buserr"
 	"github.com/1Panel-dev/1Panel/agent/global"
 	"github.com/1Panel-dev/1Panel/agent/utils/cmd"
+	"github.com/gin-gonic/gin"
 )
 
 func RemoveTamper(website string) {}
@@ -72,3 +73,7 @@ func LoadRequestTransport() *http.Transport {
 		IdleConnTimeout:       15 * time.Second,
 	}
 }
+
+func ValidateCertificate(c *gin.Context) bool {
+	return true
+}