diff --git a/apisix/cli/ngx_tpl.lua b/apisix/cli/ngx_tpl.lua
index d538937f..0816faef 100644
--- a/apisix/cli/ngx_tpl.lua
+++ b/apisix/cli/ngx_tpl.lua
@@ -73,6 +73,10 @@ stream {
     resolver {% for _, dns_addr in ipairs(dns_resolver or {}) do %} {*dns_addr*} {% end %} {% if dns_resolver_valid then %} valid={*dns_resolver_valid*}{% end %};
     resolver_timeout {*resolver_timeout*};
 
+    {% if ssl.ssl_trusted_certificate ~= nil then %}
+    lua_ssl_trusted_certificate {* ssl.ssl_trusted_certificate *};
+    {% end %}
+
     # stream configuration snippet starts
     {% if stream_configuration_snippet then %}
     {* stream_configuration_snippet *}
diff --git a/t/cli/test_stream_config.sh b/t/cli/test_stream_config.sh
index 75f56677..1e0cd2a3 100755
--- a/t/cli/test_stream_config.sh
+++ b/t/cli/test_stream_config.sh
@@ -53,3 +53,21 @@ if [ "$count" -ne 2 ]; then
 fi
 
 echo "passed: enable stream proxy and http proxy"
+
+echo "
+apisix:
+    ssl:
+        ssl_trusted_certificate: t/certs/mtls_ca.crt
+    stream_proxy:
+        tcp:
+            - addr: 9100
+" > conf/config.yaml
+
+make init
+
+if ! grep "t/certs/mtls_ca.crt;" conf/nginx.conf > /dev/null; then
+    echo "failed: failed to set trust certificate"
+    exit 1
+fi
+
+echo "passed: set trust certificate"