diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSslEngine.java b/handler/src/main/java/io/netty/handler/ssl/OpenSslEngine.java
index a735f936286..3b96f93dd0a 100644
--- a/handler/src/main/java/io/netty/handler/ssl/OpenSslEngine.java
+++ b/handler/src/main/java/io/netty/handler/ssl/OpenSslEngine.java
@@ -202,7 +202,7 @@ public OpenSslEngine(long sslCtx, ByteBufAllocator alloc,
                   boolean clientMode, OpenSslSessionContext sessionContext,
                   OpenSslApplicationProtocolNegotiator apn, OpenSslEngineMap engineMap,
                   boolean rejectRemoteInitiatedRenegation, String peerHost, int peerPort,
-                  java.security.cert.Certificate[] localCerts,
+                  Certificate[] localCerts,
                   ClientAuth clientAuth) {
         super(peerHost, peerPort);
         OpenSsl.ensureAvailability();
@@ -212,7 +212,6 @@ public OpenSslEngine(long sslCtx, ByteBufAllocator alloc,
 
         this.alloc = checkNotNull(alloc, "alloc");
         this.apn = checkNotNull(apn, "apn");
-        this.clientAuth = clientMode ? ClientAuth.NONE : checkNotNull(clientAuth, "clientAuth");
         ssl = SSL.newSSL(sslCtx, !clientMode);
         session = new OpenSslSession(sessionContext);
         networkBIO = SSL.makeNetworkBIO(ssl);
@@ -220,6 +219,10 @@ public OpenSslEngine(long sslCtx, ByteBufAllocator alloc,
         this.engineMap = engineMap;
         this.rejectRemoteInitiatedRenegation = rejectRemoteInitiatedRenegation;
         this.localCerts = localCerts;
+
+        // Set the client auth mode, this needs to be done via setClientAuth(...) method so we actually call the
+        // needed JNI methods.
+        setClientAuth(clientMode ? ClientAuth.NONE : checkNotNull(clientAuth, "clientAuth"));
     }
 
     @Override