diff --git a/command/agent/config-test-fixtures/basic.hcl b/command/agent/config-test-fixtures/basic.hcl
index cd741295df6c..8d4880a7d27e 100644
--- a/command/agent/config-test-fixtures/basic.hcl
+++ b/command/agent/config-test-fixtures/basic.hcl
@@ -138,4 +138,5 @@ tls {
     ca_file = "foo"
     cert_file = "bar"
     key_file = "pipe"
+    verify_https_client = true
 }
diff --git a/command/agent/config_parse.go b/command/agent/config_parse.go
index 43e9e5b22e25..403f5b75b5ca 100644
--- a/command/agent/config_parse.go
+++ b/command/agent/config_parse.go
@@ -689,6 +689,7 @@ func parseTLSConfig(result **config.TLSConfig, list *ast.ObjectList) error {
 		"ca_file",
 		"cert_file",
 		"key_file",
+		"verify_https_client",
 	}
 
 	if err := checkHCLKeys(listVal, valid); err != nil {
diff --git a/command/agent/config_parse_test.go b/command/agent/config_parse_test.go
index 19fccdf64a65..9774b0db3fde 100644
--- a/command/agent/config_parse_test.go
+++ b/command/agent/config_parse_test.go
@@ -154,6 +154,7 @@ func TestConfig_Parse(t *testing.T) {
 					CAFile:               "foo",
 					CertFile:             "bar",
 					KeyFile:              "pipe",
+					VerifyHTTPSClient:    true,
 				},
 				HTTPAPIResponseHeaders: map[string]string{
 					"Access-Control-Allow-Origin": "*",
diff --git a/command/agent/http.go b/command/agent/http.go
index 8dbfca78eebd..bdae5ee337c4 100644
--- a/command/agent/http.go
+++ b/command/agent/http.go
@@ -65,7 +65,7 @@ func NewHTTPServer(agent *Agent, config *Config) (*HTTPServer, error) {
 	// If TLS is enabled, wrap the listener with a TLS listener
 	if config.TLSConfig.EnableHTTP {
 		tlsConf := &tlsutil.Config{
-			VerifyIncoming:       false,
+			VerifyIncoming:       config.TLSConfig.VerifyHTTPSClient,
 			VerifyOutgoing:       true,
 			VerifyServerHostname: config.TLSConfig.VerifyServerHostname,
 			CAFile:               config.TLSConfig.CAFile,
diff --git a/nomad/structs/config/tls.go b/nomad/structs/config/tls.go
index aea3cc4dfd40..2baa76a07f7f 100644
--- a/nomad/structs/config/tls.go
+++ b/nomad/structs/config/tls.go
@@ -28,6 +28,9 @@ type TLSConfig struct {
 	// KeyFile is used to provide a TLS key that is used for serving TLS connections.
 	// Must be provided to serve TLS connections.
 	KeyFile string `mapstructure:"key_file"`
+
+	// Verify connections to the HTTPS API
+	VerifyHTTPSClient bool `mapstructure:"verify_https_client"`
 }
 
 // Merge is used to merge two TLS configs together
@@ -52,6 +55,8 @@ func (t *TLSConfig) Merge(b *TLSConfig) *TLSConfig {
 	if b.KeyFile != "" {
 		result.KeyFile = b.KeyFile
 	}
-
+	if b.VerifyHTTPSClient {
+		result.VerifyHTTPSClient = true
+	}
 	return &result
 }