diff --git a/opencloudApp/src/main/java/eu/opencloud/android/presentation/accounts/ManageAccountsAdapter.kt b/opencloudApp/src/main/java/eu/opencloud/android/presentation/accounts/ManageAccountsAdapter.kt
index 3327ef4443..4aa327c085 100644
--- a/opencloudApp/src/main/java/eu/opencloud/android/presentation/accounts/ManageAccountsAdapter.kt
+++ b/opencloudApp/src/main/java/eu/opencloud/android/presentation/accounts/ManageAccountsAdapter.kt
@@ -135,6 +135,11 @@ class ManageAccountsAdapter(
                     setImageResource(R.drawable.ic_clean_account)
                     setOnClickListener { accountListener.cleanAccountLocalStorage(account) }
                 }
+                /// bind listener to manage the client certificate (mTLS) of the account
+                holder.binding.mtlsAccountButton.apply {
+                    setImageResource(R.drawable.ic_lock)
+                    setOnClickListener { accountListener.manageClientCertificate(account, it) }
+                }
                 /// bind listener to remove account
                 holder.binding.removeButton.apply {
                     setImageResource(R.drawable.ic_action_delete_grey)
@@ -240,6 +245,7 @@ class ManageAccountsAdapter(
         fun cleanAccountLocalStorage(account: Account)
         fun createAccount()
         fun switchAccount(position: Int)
+        fun manageClientCertificate(account: Account, anchor: View)
     }
 
 }
diff --git a/opencloudApp/src/main/java/eu/opencloud/android/presentation/accounts/ManageAccountsDialogFragment.kt b/opencloudApp/src/main/java/eu/opencloud/android/presentation/accounts/ManageAccountsDialogFragment.kt
index 6bc7a06546..d471b22b20 100644
--- a/opencloudApp/src/main/java/eu/opencloud/android/presentation/accounts/ManageAccountsDialogFragment.kt
+++ b/opencloudApp/src/main/java/eu/opencloud/android/presentation/accounts/ManageAccountsDialogFragment.kt
@@ -29,11 +29,14 @@ import android.app.AlertDialog
 import android.app.Dialog
 import android.content.Intent
 import android.os.Bundle
+import android.security.KeyChain
 import android.view.ContextThemeWrapper
 import android.view.View
 import android.widget.ImageView
 import android.widget.LinearLayout
+import android.widget.PopupMenu
 import android.widget.ProgressBar
+import android.widget.Toast
 import androidx.core.view.isVisible
 import androidx.fragment.app.DialogFragment
 import androidx.recyclerview.widget.LinearLayoutManager
@@ -44,6 +47,8 @@ import eu.opencloud.android.domain.user.model.UserQuota
 import eu.opencloud.android.extensions.avoidScreenshotsIfNeeded
 import eu.opencloud.android.extensions.collectLatestLifecycleFlow
 import eu.opencloud.android.extensions.showErrorInSnackbar
+import eu.opencloud.android.lib.common.SingleSessionManager
+import eu.opencloud.android.lib.common.accounts.AccountUtils as LibAccountUtils
 import eu.opencloud.android.presentation.authentication.AccountUtils
 import eu.opencloud.android.presentation.common.UIResult
 import eu.opencloud.android.ui.activity.FileActivity
@@ -145,6 +150,60 @@ class ManageAccountsDialogFragment : DialogFragment(), ManageAccountsAdapter.Acc
         dialog.show()
     }
 
+    /**
+     * Lets the user set, change or remove the client certificate (mTLS) presented for [account].
+     * The chosen alias is stored in the account's userData and the cached HTTP clients are
+     * invalidated so the next request uses the updated certificate.
+     */
+    override fun manageClientCertificate(account: Account, anchor: View) {
+        val hasCert = !LibAccountUtils.getClientCertAliasForAccount(requireContext(), account).isNullOrBlank()
+        PopupMenu(requireContext(), anchor).apply {
+            menu.add(0, MENU_SET_CERT, 0, getString(R.string.account_mtls_set_cert))
+            if (hasCert) {
+                menu.add(0, MENU_CLEAR_CERT, 1, getString(R.string.account_mtls_clear_cert))
+            }
+            setOnMenuItemClickListener { item ->
+                when (item.itemId) {
+                    MENU_SET_CERT -> {
+                        launchClientCertPicker(account)
+                        true
+                    }
+                    MENU_CLEAR_CERT -> {
+                        setAccountClientCertAlias(account, null)
+                        true
+                    }
+                    else -> {
+                        false
+                    }
+                }
+            }
+            show()
+        }
+    }
+
+    private fun launchClientCertPicker(account: Account) {
+        val currentAlias = LibAccountUtils.getClientCertAliasForAccount(requireContext(), account)
+        KeyChain.choosePrivateKeyAlias(
+            requireActivity(),
+            // Null = user cancelled; preserve the current selection.
+            { alias -> activity?.runOnUiThread { alias?.let { setAccountClientCertAlias(account, it) } } },
+            null, null, null, KEYCHAIN_NO_PORT, currentAlias
+        )
+    }
+
+    private fun setAccountClientCertAlias(account: Account, alias: String?) {
+        AccountManager.get(requireContext().applicationContext)
+            .setUserData(account, LibAccountUtils.Constants.KEY_MTLS_CERT_ALIAS, alias?.takeIf { it.isNotBlank() })
+        // Drop cached clients so the next request renegotiates TLS with the updated certificate.
+        SingleSessionManager.getDefaultSingleton().invalidateAllClients()
+        val message = if (alias.isNullOrBlank()) {
+            getString(R.string.account_mtls_cert_cleared)
+        } else {
+            getString(R.string.account_mtls_cert_selected, alias)
+        }
+        Toast.makeText(requireContext(), message, Toast.LENGTH_LONG).show()
+    }
+
     override fun createAccount() {
         val accountManager = AccountManager.get(MainApp.appContext)
         accountManager.addAccount(
@@ -277,6 +336,12 @@ class ManageAccountsDialogFragment : DialogFragment(), ManageAccountsAdapter.Acc
         const val MANAGE_ACCOUNTS_DIALOG = "MANAGE_ACCOUNTS_DIALOG"
         const val KEY_CURRENT_ACCOUNT = "KEY_CURRENT_ACCOUNT"
 
+        private const val MENU_SET_CERT = 1
+        private const val MENU_CLEAR_CERT = 2
+
+        // KeyChain.choosePrivateKeyAlias: -1 means no port constraint on the host hint.
+        private const val KEYCHAIN_NO_PORT = -1
+
         fun newInstance(currentAccount: Account?): ManageAccountsDialogFragment {
             val args = Bundle().apply {
                 putParcelable(KEY_CURRENT_ACCOUNT, currentAccount)
diff --git a/opencloudApp/src/main/java/eu/opencloud/android/presentation/authentication/LoginActivity.kt b/opencloudApp/src/main/java/eu/opencloud/android/presentation/authentication/LoginActivity.kt
index ea440310d9..f470fa426d 100644
--- a/opencloudApp/src/main/java/eu/opencloud/android/presentation/authentication/LoginActivity.kt
+++ b/opencloudApp/src/main/java/eu/opencloud/android/presentation/authentication/LoginActivity.kt
@@ -38,6 +38,7 @@ import android.content.ActivityNotFoundException
 import android.content.Intent
 import android.net.Uri
 import android.os.Bundle
+import android.security.KeyChain
 import android.view.View.INVISIBLE
 import android.view.WindowManager.LayoutParams.FLAG_SECURE
 import androidx.appcompat.app.AppCompatActivity
@@ -49,6 +50,7 @@ import androidx.core.widget.doAfterTextChanged
 import eu.opencloud.android.BuildConfig
 import eu.opencloud.android.MainApp.Companion.accountType
 import eu.opencloud.android.R
+import eu.opencloud.android.data.ClientManager
 import eu.opencloud.android.data.authentication.KEY_OIDC_ISSUER
 import eu.opencloud.android.data.authentication.KEY_PREFERRED_USERNAME
 import eu.opencloud.android.data.authentication.KEY_USER_ID
@@ -107,12 +109,20 @@ private const val KEY_AUTH_SERVER_BASE_URL = "KEY_AUTH_SERVER_BASE_URL"
 private const val KEY_AUTH_OIDC_SUPPORTED = "KEY_AUTH_OIDC_SUPPORTED"
 private const val KEY_AUTH_LOGIN_ACTION = "KEY_AUTH_LOGIN_ACTION"
 private const val KEY_AUTH_USER_ACCOUNT = "KEY_AUTH_USER_ACCOUNT"
+private const val KEY_AUTH_MTLS_CERT_ALIAS = "KEY_AUTH_MTLS_CERT_ALIAS"
+
+// KeyChain.choosePrivateKeyAlias: -1 means no port constraint on the host hint.
+private const val KEYCHAIN_NO_PORT = -1
 
 class LoginActivity : AppCompatActivity(), SslUntrustedCertDialog.OnSslUntrustedCertListener, SecurityEnforced {
 
     private val authenticationViewModel by viewModel<AuthenticationViewModel>()
     private val contextProvider by inject<ContextProvider>()
     private val mdmProvider by inject<MdmProvider>()
+    private val clientManager by inject<ClientManager>()
+
+    // Alias (from the Android KeyChain) of the client certificate to present for mTLS during login.
+    private var clientCertAlias: String? = null
 
     private var loginAction: Byte = ACTION_CREATE
     private var authTokenType: String? = null
@@ -213,12 +223,16 @@ class LoginActivity : AppCompatActivity(), SslUntrustedCertDialog.OnSslUntrusted
         binding.root.filterTouchesWhenObscured =
             PreferenceUtils.shouldDisallowTouchesWithOtherVisibleWindows(this@LoginActivity)
 
+        restoreClientCertAlias(savedInstanceState)
+
         initBrandableOptionsUI()
 
         binding.thumbnail.setOnClickListener { checkOcServer() }
 
         binding.embeddedCheckServerButton.setOnClickListener { checkOcServer() }
 
+        binding.mtlsSelectCertButton.setOnClickListener { launchClientCertPicker() }
+
         binding.loginButton.setOnClickListener {
             if (AccountTypeUtils.getAuthTokenTypeAccessToken(accountType) != authTokenType) { // Basic
                 authenticationViewModel.loginBasic(
@@ -258,6 +272,24 @@ class LoginActivity : AppCompatActivity(), SslUntrustedCertDialog.OnSslUntrusted
         // getServerInfo() completes (process death recovery flow).
     }
 
+    /**
+     * Restores the mTLS client certificate alias: from saved state on recreate, from the existing
+     * account on re-login, or none on a fresh login. Keeps [clientManager]'s transient alias in sync
+     * so the login connection (server check + login) presents the right certificate before the
+     * account exists.
+     */
+    private fun restoreClientCertAlias(savedInstanceState: Bundle?) {
+        clientCertAlias = when {
+            savedInstanceState != null -> savedInstanceState.getString(KEY_AUTH_MTLS_CERT_ALIAS)
+            loginAction != ACTION_CREATE -> userAccount?.let {
+                AccountManager.get(this).getUserData(it, AccountUtils.Constants.KEY_MTLS_CERT_ALIAS)
+            }
+            else -> null
+        }
+        clientManager.loginClientCertAlias = clientCertAlias
+        updateClientCertStatus()
+    }
+
     /**
      * If this onCreate is an OAuth redirect, either forward it to the existing instance
      * (when not task root) or let it proceed. Otherwise, track this instance so the
@@ -626,6 +658,11 @@ class LoginActivity : AppCompatActivity(), SslUntrustedCertDialog.OnSslUntrusted
             am.setUserData(account, KEY_OIDC_ISSUER, serverInfo.oidcServerConfiguration.issuer)
         }
 
+        // Persist the mTLS client certificate chosen during login to the account, then clear the
+        // login-time transient so it does not leak into later anonymous clients.
+        am.setUserData(account, AccountUtils.Constants.KEY_MTLS_CERT_ALIAS, clientCertAlias?.takeIf { it.isNotBlank() })
+        clientManager.loginClientCertAlias = null
+
         authenticationViewModel.discoverAccount(accountName = accountName, discoveryNeeded = loginAction == ACTION_CREATE)
         clearAuthState()
     }
@@ -1084,6 +1121,39 @@ class LoginActivity : AppCompatActivity(), SslUntrustedCertDialog.OnSslUntrusted
         }
     }
 
+    /**
+     * Opens the Android KeyChain picker so the user can choose a client certificate for mTLS,
+     * defaulting to the currently selected alias. The chosen alias is applied to the login client
+     * immediately so the next server check / login presents it.
+     */
+    private fun launchClientCertPicker() {
+        KeyChain.choosePrivateKeyAlias(
+            this,
+            { alias -> runOnUiThread { onClientCertPicked(alias) } },
+            null, null, null, KEYCHAIN_NO_PORT, clientCertAlias
+        )
+    }
+
+    private fun onClientCertPicked(alias: String?) {
+        // Null = user cancelled the picker; keep the current selection.
+        if (alias == null) return
+        clientCertAlias = alias
+        clientManager.loginClientCertAlias = alias
+        updateClientCertStatus()
+    }
+
+    private fun updateClientCertStatus() {
+        binding.mtlsStatusText.run {
+            val alias = clientCertAlias
+            if (alias.isNullOrBlank()) {
+                isVisible = false
+            } else {
+                text = getString(R.string.auth_mtls_cert_selected, alias)
+                isVisible = true
+            }
+        }
+    }
+
     override fun onSaveInstanceState(outState: Bundle) {
         super.onSaveInstanceState(outState)
         outState.putString(KEY_AUTH_TOKEN_TYPE, authTokenType)
@@ -1094,6 +1164,7 @@ class LoginActivity : AppCompatActivity(), SslUntrustedCertDialog.OnSslUntrusted
         outState.putString(KEY_CODE_VERIFIER, authenticationViewModel.codeVerifier)
         outState.putString(KEY_CODE_CHALLENGE, authenticationViewModel.codeChallenge)
         outState.putString(KEY_OIDC_STATE, authenticationViewModel.oidcState)
+        outState.putString(KEY_AUTH_MTLS_CERT_ALIAS, clientCertAlias)
     }
 
     override fun finish() {
diff --git a/opencloudApp/src/main/res/layout-land/account_setup.xml b/opencloudApp/src/main/res/layout-land/account_setup.xml
index 81c7251221..0dc6fa824a 100644
--- a/opencloudApp/src/main/res/layout-land/account_setup.xml
+++ b/opencloudApp/src/main/res/layout-land/account_setup.xml
@@ -200,6 +200,28 @@
                                 android:visibility="gone" />
                         </FrameLayout>
 
+                        <Button
+                            android:id="@+id/mtls_select_cert_button"
+                            android:layout_width="wrap_content"
+                            android:layout_height="wrap_content"
+                            android:background="@android:color/transparent"
+                            android:contentDescription="@string/auth_mtls_select_cert"
+                            android:gravity="center_vertical"
+                            android:paddingTop="5dp"
+                            android:paddingBottom="5dp"
+                            android:text="@string/auth_mtls_select_cert"
+                            android:textColor="@color/login_text_color" />
+
+                        <TextView
+                            android:id="@+id/mtls_status_text"
+                            android:layout_width="match_parent"
+                            android:layout_height="wrap_content"
+                            android:layout_marginBottom="10dp"
+                            android:textColor="@color/login_text_color"
+                            android:visibility="gone"
+                            tools:text="@string/auth_mtls_cert_selected"
+                            tools:visibility="visible" />
+
                         <TextView
                             android:id="@+id/server_status_text"
                             android:layout_width="match_parent"
diff --git a/opencloudApp/src/main/res/layout/account_item.xml b/opencloudApp/src/main/res/layout/account_item.xml
index c342408c9c..2591c18641 100644
--- a/opencloudApp/src/main/res/layout/account_item.xml
+++ b/opencloudApp/src/main/res/layout/account_item.xml
@@ -69,7 +69,7 @@
             android:textSize="16sp"
             android:textStyle="bold"
             app:layout_constraintBottom_toTopOf="@+id/account"
-            app:layout_constraintEnd_toStartOf="@+id/clean_account_local_storage_button"
+            app:layout_constraintEnd_toStartOf="@+id/mtls_account_button"
             app:layout_constraintStart_toEndOf="@+id/ticker"
             app:layout_constraintTop_toTopOf="parent" />
 
@@ -83,10 +83,28 @@
             android:textColor="@color/textColor"
             android:textSize="14sp"
             android:lines="1"
-            app:layout_constraintEnd_toStartOf="@+id/clean_account_local_storage_button"
+            app:layout_constraintEnd_toStartOf="@+id/mtls_account_button"
             app:layout_constraintStart_toEndOf="@id/ticker"
             app:layout_constraintTop_toBottomOf="@id/name" />
 
+        <ImageView
+            android:id="@+id/mtls_account_button"
+            android:layout_width="wrap_content"
+            android:layout_height="wrap_content"
+            android:layout_gravity="center_vertical"
+            android:background="?android:attr/selectableItemBackground"
+            android:clickable="true"
+            android:paddingStart="@dimen/standard_half_padding"
+            android:paddingTop="@dimen/standard_padding"
+            android:paddingEnd="@dimen/standard_half_padding"
+            android:paddingBottom="@dimen/standard_padding"
+            android:src="@drawable/ic_lock"
+            android:contentDescription="@string/account_mtls_button"
+            app:layout_constraintBottom_toBottomOf="parent"
+            app:layout_constraintEnd_toStartOf="@+id/clean_account_local_storage_button"
+            app:layout_constraintTop_toTopOf="parent"
+            app:tint="@color/black" />
+
         <ImageView
             android:id="@+id/clean_account_local_storage_button"
             android:layout_width="wrap_content"
diff --git a/opencloudApp/src/main/res/layout/account_setup.xml b/opencloudApp/src/main/res/layout/account_setup.xml
index 0fd696aace..9245ec39f1 100644
--- a/opencloudApp/src/main/res/layout/account_setup.xml
+++ b/opencloudApp/src/main/res/layout/account_setup.xml
@@ -195,6 +195,28 @@
                             android:visibility="gone" />
                     </FrameLayout>
 
+                    <Button
+                        android:id="@+id/mtls_select_cert_button"
+                        android:layout_width="wrap_content"
+                        android:layout_height="wrap_content"
+                        android:background="@android:color/transparent"
+                        android:contentDescription="@string/auth_mtls_select_cert"
+                        android:gravity="center_vertical"
+                        android:paddingTop="5dp"
+                        android:paddingBottom="5dp"
+                        android:text="@string/auth_mtls_select_cert"
+                        android:textColor="@color/login_text_color" />
+
+                    <TextView
+                        android:id="@+id/mtls_status_text"
+                        android:layout_width="match_parent"
+                        android:layout_height="wrap_content"
+                        android:layout_marginBottom="10dp"
+                        android:textColor="@color/login_text_color"
+                        android:visibility="gone"
+                        tools:text="@string/auth_mtls_cert_selected"
+                        tools:visibility="visible" />
+
                     <TextView
                         android:id="@+id/server_status_text"
                         android:layout_width="match_parent"
diff --git a/opencloudApp/src/main/res/values/strings.xml b/opencloudApp/src/main/res/values/strings.xml
index e867c95a7c..271dfe9ba1 100644
--- a/opencloudApp/src/main/res/values/strings.xml
+++ b/opencloudApp/src/main/res/values/strings.xml
@@ -59,6 +59,15 @@
     <string name="prefs_lock_access_from_document_provider_summary">Lock access from other apps to the files of the accounts in the app via the Android native file explorer.</string>
     <string name="prefs_touches_with_other_visible_windows">Touches with other visible windows</string>
     <string name="prefs_touches_with_other_visible_windows_summary">Allow touches when the view is obscured by another visible window. Enable it to use light filtering apps.</string>
+
+    <!-- mTLS client certificate (per account) -->
+    <string name="auth_mtls_select_cert">Client certificate (mTLS)</string>
+    <string name="auth_mtls_cert_selected">Certificate: %1$s</string>
+    <string name="account_mtls_button">Client certificate</string>
+    <string name="account_mtls_set_cert">Set client certificate</string>
+    <string name="account_mtls_clear_cert">Remove client certificate</string>
+    <string name="account_mtls_cert_selected">Client certificate set: %1$s</string>
+    <string name="account_mtls_cert_cleared">Client certificate removed</string>
     <string name="confirmation_touches_with_other_windows_title">Are you sure you want to enable this feature?</string>
     <string name="confirmation_touches_with_other_windows_message">Use this feature at your own risk. A malicious application could try to spoof you into unknowingly performing some actions, using other views.</string>
     <string name="prefs_subsection_picture_uploads">Automatic picture uploads</string>
diff --git a/opencloudApp/src/main/res/xml/settings_security.xml b/opencloudApp/src/main/res/xml/settings_security.xml
index 91c72bb0dd..5da26cbdbc 100644
--- a/opencloudApp/src/main/res/xml/settings_security.xml
+++ b/opencloudApp/src/main/res/xml/settings_security.xml
@@ -49,4 +49,4 @@
         app:summary="@string/prefs_touches_with_other_visible_windows_summary"
         app:title="@string/prefs_touches_with_other_visible_windows" />
 
-</PreferenceScreen>
\ No newline at end of file
+</PreferenceScreen>
diff --git a/opencloudComLibrary/src/main/java/eu/opencloud/android/lib/common/SingleSessionManager.java b/opencloudComLibrary/src/main/java/eu/opencloud/android/lib/common/SingleSessionManager.java
index 82a7f3dec8..933ef339d1 100644
--- a/opencloudComLibrary/src/main/java/eu/opencloud/android/lib/common/SingleSessionManager.java
+++ b/opencloudComLibrary/src/main/java/eu/opencloud/android/lib/common/SingleSessionManager.java
@@ -177,6 +177,12 @@ public OpenCloudClient getClientFor(OpenCloudAccount account,
 
             keepUriUpdated(account, client);
         }
+
+        // Present the per-account client certificate (if any) for mutual TLS. Re-resolved on every
+        // call so a certificate changed via Manage Accounts is picked up on the next request; the
+        // client only rebuilds when the alias actually changes.
+        client.setClientCertAlias(AccountUtils.getClientCertAliasForAccount(context, account.getSavedAccount()));
+
         Timber.d("getClientFor finishing ");
         return client;
     }
@@ -205,6 +211,15 @@ public void removeClientFor(OpenCloudAccount account) {
         Timber.d("removeClientFor finishing ");
     }
 
+    public void invalidateAllClients() {
+        for (OpenCloudClient client : mClientsWithKnownUsername.values()) {
+            client.invalidate();
+        }
+        for (OpenCloudClient client : mClientsWithUnknownUsername.values()) {
+            client.invalidate();
+        }
+    }
+
     public void refreshCredentialsForAccount(String accountName, OpenCloudCredentials credentials) {
         OpenCloudClient openCloudClient = mClientsWithKnownUsername.get(accountName);
         if (openCloudClient == null) {
diff --git a/opencloudComLibrary/src/main/java/eu/opencloud/android/lib/common/accounts/AccountUtils.java b/opencloudComLibrary/src/main/java/eu/opencloud/android/lib/common/accounts/AccountUtils.java
index 4915d9b5c4..957dd59f01 100644
--- a/opencloudComLibrary/src/main/java/eu/opencloud/android/lib/common/accounts/AccountUtils.java
+++ b/opencloudComLibrary/src/main/java/eu/opencloud/android/lib/common/accounts/AccountUtils.java
@@ -145,6 +145,21 @@ public static String getUserId(Account account, Context context) {
         return accountMgr.getUserData(account, Constants.KEY_ID);
     }
 
+    /**
+     * Returns the alias (from the Android KeyChain) of the client certificate configured for the
+     * given account, used to present a certificate for mutual TLS authentication.
+     *
+     * @param context Valid Android {@link Context}, needed to access the {@link AccountManager}
+     * @param account A stored openCloud {@link Account}, may be null (e.g. anonymous client)
+     * @return the configured certificate alias, or null when none is set or the account is null
+     */
+    public static String getClientCertAliasForAccount(Context context, Account account) {
+        if (account == null) {
+            return null;
+        }
+        return AccountManager.get(context).getUserData(account, Constants.KEY_MTLS_CERT_ALIAS);
+    }
+
     public static String buildAccountNameOld(Uri serverBaseUrl, String username) {
         if (serverBaseUrl.getScheme() == null) {
             serverBaseUrl = Uri.parse("https://" + serverBaseUrl.toString());
@@ -223,6 +238,12 @@ public static class Constants {
          */
         public static final String KEY_DISPLAY_NAME = "oc_display_name";
 
+        /**
+         * Alias (from the Android KeyChain) of the client certificate to present for mutual TLS
+         * authentication on this account's connections.
+         */
+        public static final String KEY_MTLS_CERT_ALIAS = "oc_mtls_cert_alias";
+
         public static final int ACCOUNT_VERSION = 1;
     }
 }
diff --git a/opencloudComLibrary/src/main/java/eu/opencloud/android/lib/common/http/HttpClient.java b/opencloudComLibrary/src/main/java/eu/opencloud/android/lib/common/http/HttpClient.java
index ab8b711ed5..702e3b0654 100644
--- a/opencloudComLibrary/src/main/java/eu/opencloud/android/lib/common/http/HttpClient.java
+++ b/opencloudComLibrary/src/main/java/eu/opencloud/android/lib/common/http/HttpClient.java
@@ -28,6 +28,7 @@
 
 import eu.opencloud.android.lib.common.http.logging.LogInterceptor;
 import eu.opencloud.android.lib.common.network.AdvancedX509TrustManager;
+import eu.opencloud.android.lib.common.network.ClientCertificateManager;
 import eu.opencloud.android.lib.common.network.KnownServersHostnameVerifier;
 import eu.opencloud.android.lib.common.network.NetworkUtils;
 import okhttp3.Cookie;
@@ -38,6 +39,7 @@
 import okhttp3.TlsVersion;
 import timber.log.Timber;
 
+import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.TrustManager;
@@ -61,6 +63,10 @@ public class HttpClient {
 
     private OkHttpClient mOkHttpClient = null;
 
+    // Alias (from the Android KeyChain) of the client certificate to present for mTLS on this
+    // client's connections. Resolved per account; null means no client certificate.
+    private String mClientCertAlias = null;
+
     protected HttpClient(Context context) {
         if (context == null) {
             Timber.e("Context may not be NULL!");
@@ -69,14 +75,16 @@ protected HttpClient(Context context) {
         mContext = context;
     }
 
-    public OkHttpClient getOkHttpClient() {
+    public synchronized OkHttpClient getOkHttpClient() {
         if (mOkHttpClient == null) {
             try {
                 final X509TrustManager trustManager = new AdvancedX509TrustManager(
                         NetworkUtils.getKnownServersStore(mContext));
 
                 final SSLContext sslContext = buildSSLContext();
-                sslContext.init(null, new TrustManager[]{trustManager}, null);
+
+                KeyManager[] keyManagers = ClientCertificateManager.INSTANCE.getKeyManagers(mContext, mClientCertAlias);
+                sslContext.init(keyManagers, new TrustManager[]{trustManager}, null);
                 final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
 
                 // Automatic cookie handling, NOT PERSISTENT
@@ -94,6 +102,26 @@ public OkHttpClient getOkHttpClient() {
         return mOkHttpClient;
     }
 
+    public synchronized void invalidate() {
+        if (mOkHttpClient != null) {
+            // Drop idle keep-alive connections so the next request renegotiates TLS (e.g. with a
+            // changed client certificate) instead of reusing a connection from the old config.
+            mOkHttpClient.connectionPool().evictAll();
+        }
+        mOkHttpClient = null;
+    }
+
+    /**
+     * Sets the alias (from the Android KeyChain) of the client certificate to present for mTLS.
+     * Invalidates the cached client when the alias changes so it is rebuilt with the new certificate.
+     */
+    public synchronized void setClientCertAlias(String alias) {
+        if ((alias == null) ? (mClientCertAlias != null) : !alias.equals(mClientCertAlias)) {
+            mClientCertAlias = alias;
+            invalidate();
+        }
+    }
+
     private SSLContext buildSSLContext() throws NoSuchAlgorithmException {
         try {
             return SSLContext.getInstance(TlsVersion.TLS_1_3.javaName());
diff --git a/opencloudComLibrary/src/main/java/eu/opencloud/android/lib/common/network/ClientCertificateManager.kt b/opencloudComLibrary/src/main/java/eu/opencloud/android/lib/common/network/ClientCertificateManager.kt
new file mode 100644
index 0000000000..d8fe50a6d4
--- /dev/null
+++ b/opencloudComLibrary/src/main/java/eu/opencloud/android/lib/common/network/ClientCertificateManager.kt
@@ -0,0 +1,76 @@
+/* openCloud Android Library is available under MIT license
+ *   Copyright (C) 2026 openCloud GmbH.
+ *
+ *   Permission is hereby granted, free of charge, to any person obtaining a copy
+ *   of this software and associated documentation files (the "Software"), to deal
+ *   in the Software without restriction, including without limitation the rights
+ *   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ *   copies of the Software, and to permit persons to whom the Software is
+ *   furnished to do so, subject to the following conditions:
+ *
+ *   The above copyright notice and this permission notice shall be included in
+ *   all copies or substantial portions of the Software.
+ *
+ *   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ *   EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ *   MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ *   NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ *   BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ *   ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ *   CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ *   THE SOFTWARE.
+ *
+ */
+
+package eu.opencloud.android.lib.common.network
+
+import android.content.Context
+import android.security.KeyChain
+import timber.log.Timber
+import java.net.Socket
+import java.security.Principal
+import java.security.PrivateKey
+import java.security.cert.X509Certificate
+import javax.net.ssl.KeyManager
+import javax.net.ssl.X509KeyManager
+
+object ClientCertificateManager {
+
+    /**
+     * Builds the [KeyManager]s that present the client certificate identified by [alias] (an alias
+     * from the Android [KeyChain]) during the TLS handshake. The alias is resolved per account, so
+     * callers pass the alias bound to the account/login that owns the connection.
+     *
+     * @return null when [alias] is null/blank, i.e. mTLS is not configured for this connection.
+     */
+    fun getKeyManagers(context: Context, alias: String?): Array<KeyManager>? {
+        if (alias.isNullOrBlank()) return null
+        return arrayOf(KeyChainKeyManager(context.applicationContext, alias))
+    }
+
+    private class KeyChainKeyManager(
+        private val appContext: Context,
+        private val alias: String,
+    ) : X509KeyManager {
+
+        // We always present the single configured alias: it is the only certificate the user
+        // selected for this account, so there is nothing to choose between.
+        override fun chooseClientAlias(keyType: Array<String>?, issuers: Array<Principal>?, socket: Socket?): String = alias
+
+        override fun getClientAliases(keyType: String?, issuers: Array<Principal>?): Array<String> = arrayOf(alias)
+
+        override fun getCertificateChain(alias: String?): Array<X509Certificate>? =
+            runCatching { KeyChain.getCertificateChain(appContext, this.alias) }
+                .onFailure { Timber.e(it, "Failed to get certificate chain for alias: %s", this.alias) }
+                .getOrNull()
+
+        override fun getPrivateKey(alias: String?): PrivateKey? =
+            runCatching { KeyChain.getPrivateKey(appContext, this.alias) }
+                .onFailure { Timber.e(it, "Failed to get private key for alias: %s", this.alias) }
+                .getOrNull()
+
+        override fun chooseServerAlias(keyType: String?, issuers: Array<Principal>?, socket: Socket?): String? = null
+
+        override fun getServerAliases(keyType: String?, issuers: Array<Principal>?): Array<String>? = null
+    }
+}
diff --git a/opencloudData/src/main/java/eu/opencloud/android/data/ClientManager.kt b/opencloudData/src/main/java/eu/opencloud/android/data/ClientManager.kt
index 8edbccfda9..46fe016b13 100644
--- a/opencloudData/src/main/java/eu/opencloud/android/data/ClientManager.kt
+++ b/opencloudData/src/main/java/eu/opencloud/android/data/ClientManager.kt
@@ -56,6 +56,11 @@ class ClientManager(
     // This client will maintain cookies across the whole login process.
     private var openCloudClient: OpenCloudClient? = null
 
+    // Alias (from the Android KeyChain) of the client certificate to present for mutual TLS during
+    // the login process, before the account exists. Set from the login screen and persisted to the
+    // account's userData on success. Null means no client certificate.
+    var loginClientCertAlias: String? = null
+
     // Cached client to avoid retrieving the client for each service
     private var openCloudClientForCurrentAccount: OpenCloudClient? = null
 
@@ -86,6 +91,7 @@ class ClientManager(
                 context
             ).apply {
                 credentials = openCloudCredentials
+                setClientCertAlias(loginClientCertAlias)
             }.also {
                 openCloudClient = it
             }
@@ -93,6 +99,7 @@ class ClientManager(
             Timber.d("Reusing anonymous client for ${safeClient.baseUri}")
             safeClient.apply {
                 credentials = openCloudCredentials
+                setClientCertAlias(loginClientCertAlias)
             }
         }
     }