diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 350ee2cb2407..7e5fb199c854 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1612,11 +1612,6 @@ struct mbedtls_ssl_context
     uint16_t MBEDTLS_PRIVATE(mtu);               /*!< path mtu, used to fragment outgoing messages */
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
 
-    /*
-     * PKI layer
-     */
-    int MBEDTLS_PRIVATE(client_auth);                    /*!<  flag for client auth.   */
-
     /*
      * User settings
      */
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index e411b704909c..825034a8d833 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -3137,12 +3137,13 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
     }
 
     ssl->state++;
-    ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
+    ssl->handshake->client_auth =
+                    ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
 
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
-                        ssl->client_auth ? "a" : "no" ) );
+                        ssl->handshake->client_auth ? "a" : "no" ) );
 
-    if( ssl->client_auth == 0 )
+    if( ssl->handshake->client_auth == 0 )
     {
         /* Current message is probably the ServerHelloDone */
         ssl->keep_current_message = 1;
@@ -3794,7 +3795,8 @@ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
         return( 0 );
     }
 
-    if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
+    if( ssl->handshake->client_auth == 0 ||
+        mbedtls_ssl_own_cert( ssl ) == NULL )
     {
         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
         ssl->state++;
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index aaed88bd13fb..8cb9576ff6c1 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -775,6 +775,12 @@ struct mbedtls_ssl_handshake_params
                                 * but can be overwritten by the HRR. */
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 
+#if defined(MBEDTLS_SSL_CLI_C)
+    uint8_t client_auth;       /*!< used to check if CertificateRequest has been
+                                    received from server side. If CertificateRequest
+                                    has been received, Certificate and CertificateVerify
+                                    should be sent to server */
+#endif /* MBEDTLS_SSL_CLI_C */
     /*
      * State-local variables used during the processing
      * of a specific handshake state.
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index ec8dbfb530a3..988fafbd6f88 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1706,7 +1706,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_SSL_CLI_C)
     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
     {
-        if( ssl->client_auth == 0 )
+        if( ssl->handshake->client_auth == 0 )
         {
             MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
             ssl->state++;