diff --git a/pjs/http/forward.js b/pjs/http/forward.js
index 68aaa90..df01ac5 100644
--- a/pjs/http/forward.js
+++ b/pjs/http/forward.js
@@ -256,12 +256,19 @@
         ) : !proxyPreserveHostCache.get(__route) && (
           msg.head.headers.host = __target
         ),
-        __useSSL = Boolean(attrs?.UseSSL),
         attrs?.UpstreamCert ? (
           __cert = attrs?.UpstreamCert
         ) : (
           __cert = __service?.UpstreamCert
         ),
+        __cert ? (
+          !__service?.MTLS && (
+            __useSSL = true,
+            __cert = null
+          )
+        ) : (
+          __useSSL = Boolean(attrs?.UseSSL)
+        ),
         _cookieId ? (
           _cookieId = null
         ) : (
diff --git a/pjs/lib/connect-tls.js b/pjs/lib/connect-tls.js
index 495c7fd..c54f4b6 100644
--- a/pjs/lib/connect-tls.js
+++ b/pjs/lib/connect-tls.js
@@ -81,6 +81,7 @@
   ),
   () => __useSSL, (
     $=>$.connectTLS({
+      trusted: unionCA,
       sni: () => __host || '',
     }).to($ => $.use('lib/connect-tcp.js'))
   ),
diff --git a/tests/shpec/config/metrics-tracing-logging_shpec/config.json b/tests/shpec/config/metrics-tracing-logging_shpec/config.json
index daab540..e191492 100644
--- a/tests/shpec/config/metrics-tracing-logging_shpec/config.json
+++ b/tests/shpec/config/metrics-tracing-logging_shpec/config.json
@@ -694,6 +694,7 @@
       }
     },
     "www8846": {
+      "MTLS": true,
       "Endpoints": {
         "127.0.0.1:8850": {
           "Weight": 100,
@@ -709,6 +710,7 @@
       }
     },
     "www8847": {
+      "MTLS": true,
       "Endpoints": {
         "127.0.0.1:8850": {
           "Weight": 100,
@@ -744,6 +746,7 @@
       }
     },
     "bookstore/bookstore-v1|14001|local": {
+      "MTLS": true,
       "Endpoints": {
         "127.0.0.3:8850": {
           "Weight": 100,
diff --git a/tests/shpec/config/mtls-client_shpec/config.json b/tests/shpec/config/mtls-client_shpec/config.json
index 4e1081f..0d20c7e 100644
--- a/tests/shpec/config/mtls-client_shpec/config.json
+++ b/tests/shpec/config/mtls-client_shpec/config.json
@@ -406,6 +406,7 @@
       }
     },
     "www8846": {
+      "MTLS": true,
       "Endpoints": {
         "127.0.0.1:8850": {
           "Weight": 100,
@@ -421,6 +422,7 @@
       }
     },
     "www8847": {
+      "MTLS": true,
       "Endpoints": {
         "127.0.0.1:8850": {
           "Weight": 100,
@@ -456,6 +458,7 @@
       }
     },
     "bookstore/bookstore-v1|14001|local": {
+      "MTLS": true,
       "Endpoints": {
         "127.0.0.3:8850": {
           "Weight": 100,
diff --git a/tests/shpec/config/mtls-upstream_shpec/config.json b/tests/shpec/config/mtls-upstream_shpec/config.json
index a532e01..6cbe84f 100644
--- a/tests/shpec/config/mtls-upstream_shpec/config.json
+++ b/tests/shpec/config/mtls-upstream_shpec/config.json
@@ -406,6 +406,7 @@
       }
     },
     "www8846": {
+      "MTLS": true,
       "Endpoints": {
         "127.0.0.1:8850": {
           "Weight": 100,
@@ -421,6 +422,7 @@
       }
     },
     "www8847": {
+      "MTLS": true,
       "Endpoints": {
         "127.0.0.1:8850": {
           "Weight": 100,
@@ -456,6 +458,7 @@
       }
     },
     "bookstore/bookstore-v1|14001|local": {
+      "MTLS": true,
       "Endpoints": {
         "127.0.0.3:8850": {
           "Weight": 100,