diff --git a/src/tls13.c b/src/tls13.c
index 2fd6e18ba..1097cf385 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -5034,6 +5034,11 @@ static int SendTls13Certificate(WOLFSSL* ssl)
     byte   certReqCtxLen = 0;
     byte*  certReqCtx = NULL;
 
+#ifdef OPENSSL_EXTRA
+    WOLFSSL_X509* x509 = NULL;
+    WOLFSSL_EVP_PKEY* pkey = NULL;
+#endif
+
     WOLFSSL_START(WC_FUNC_CERTIFICATE_SEND);
     WOLFSSL_ENTER("SendTls13Certificate");
 
@@ -5044,6 +5049,22 @@ static int SendTls13Certificate(WOLFSSL* ssl)
     }
 #endif
 
+#ifdef OPENSSL_EXTRA
+    /* call client cert callback if no cert has been loaded */
+    if ((ssl->ctx->CBClientCert != NULL) &&
+        (!ssl->buffers.certificate || !ssl->buffers.certificate->buffer)) {
+        ret = ssl->ctx->CBClientCert(ssl, &x509, &pkey);
+        if (ret == 1) {
+            if ((wolfSSL_CTX_use_certificate(ssl->ctx, x509) == WOLFSSL_SUCCESS) &&
+                (wolfSSL_CTX_use_PrivateKey(ssl->ctx, pkey) == WOLFSSL_SUCCESS)) {
+                ssl->options.sendVerify = SEND_CERT;
+            }
+            wolfSSL_X509_free(x509);
+            wolfSSL_EVP_PKEY_free(pkey);
+        }
+    }
+#endif
+
     if (ssl->options.sendVerify == SEND_BLANK_CERT) {
         certSz = 0;
         certChainSz = 0;