diff --git a/src/go/plugins/mqtt/mqtt.go b/src/go/plugins/mqtt/mqtt.go
index 6506fcd123..107939a6cb 100644
--- a/src/go/plugins/mqtt/mqtt.go
+++ b/src/go/plugins/mqtt/mqtt.go
@@ -28,6 +28,7 @@ package mqtt
 
 import (
 	"crypto/rand"
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -93,9 +94,19 @@ func (p *Plugin) createOptions(clientid, username, password string, b broker) *m
 	opts := mqtt.NewClientOptions().AddBroker(b.url).SetClientID(clientid).SetCleanSession(true).SetConnectTimeout(
 		time.Duration(impl.options.Timeout) * time.Second)
 	if username != "" {
-		opts.SetUsername(username)
-		if password != "" {
-			opts.SetPassword(password)
+		if username[0] == '/' {
+		cert, err := tls.LoadX509KeyPair(username, password)
+			if err != nil {
+				impl.Warningf("failed to load client certificates")
+			}
+		cfg := &tls.Config{Certificates: []tls.Certificate{cert}}
+		opts.SetTLSConfig(cfg)
+		impl.Debugf("set client certificate to %s", username)
+		} else {
+			opts.SetUsername(username)
+			if password != "" {
+				opts.SetPassword(password)
+			}
 		}
 	}
 
@@ -287,6 +298,7 @@ func (p *Plugin) EventSourceByKey(key string) (es watch.EventSource, err error)
 	var ok bool
 	if client, ok = p.mqttClients[broker]; !ok {
 		impl.Tracef("creating client for [%s]", broker.url)
+		impl.Debugf("client username is %s", username)
 
 		client = &mqttClient{nil, broker, make(map[string]*mqttSub), p.createOptions(getClientID(), username, password,
 			broker), false}