diff --git a/.env b/.env
index eba5e7c..5677fa2 100644
--- a/.env
+++ b/.env
@@ -1,3 +1,3 @@
-MISP_TAG=v2.4.140
-MODULES_TAG=v2.4.136
+MISP_TAG=v2.4.141
+MODULES_TAG=v2.4.141
 PHP_VER=20180731
diff --git a/README.md b/README.md
index 4963565..3bf44c1 100644
--- a/README.md
+++ b/README.md
@@ -64,6 +64,7 @@ Updating the images should be as simple as `docker-compose pull` which, unless c
 -   Directory volume mount SSL Certs `./ssl`: `/etc/ssl/certs`
     -   Certificate File: `cert.pem`
     -   Certificate Key File: `key.pem`
+    -   CA File for Cert Authentication (optional) `ca.pem`
 
 -   Directory volume mount and create configs: `/var/www/MISP/app/Config/`
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 659aad2..6c3eb68 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -50,6 +50,7 @@ services:
       # Optional Settings
 #      - "NOREDIR=true" # Do not redirect port 80
 #      - "DISIPV6=true" # Disable IPV6 in nginx
+#      - "CERTAUTH=optional" # Can be set to optional or on - Step 2 of https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth is still required
 #      - "SECURESSL=true" # Enable higher security SSL in nginx
 #      - "MISP_MODULES_FQDN=http://misp-modules" # Set the MISP Modules FQDN, used for Enrichment_services_url/Import_services_url/Export_services_url
   misp-modules:
diff --git a/server/Dockerfile b/server/Dockerfile
index dcba944..b3b5e2c 100644
--- a/server/Dockerfile
+++ b/server/Dockerfile
@@ -13,9 +13,14 @@ FROM debian:buster-slim as php-build
         php \
         php-dev \
         php-pear \
+        librdkafka-dev \
+        git \
         && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
-
-        RUN cp /usr/lib/x86_64-linux-gnu/libfuzzy.* /usr/lib; pecl install ssdeep
+        
+        RUN pecl channel-update pecl.php.net
+        RUN cp /usr/lib/x86_64-linux-gnu/libfuzzy.* /usr/lib; pecl install ssdeep && pecl install rdkafka
+        RUN git clone --recursive --depth=1 https://github.com/kjdev/php-ext-brotli.git && cd php-ext-brotli && phpize && ./configure && make && make install
+        
 
 FROM debian:buster-slim as python-build
     RUN apt-get update; apt-get install -y --no-install-recommends \
@@ -112,6 +117,8 @@ ARG PHP_VER
         php-gd \
         php-fpm \
         php-zip \
+        librdkafka1 \
+        libbrotli1 \
         # Unsure we need these
         zip unzip \
         && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
@@ -129,10 +136,17 @@ ARG PHP_VER
 # PHP
     # Install ssdeep prebuild, latest composer, then install the app's PHP deps
     COPY --from=php-build /usr/lib/php/${PHP_VER}/ssdeep.so /usr/lib/php/${PHP_VER}/ssdeep.so
+    COPY --from=php-build /usr/lib/php/${PHP_VER}/rdkafka.so /usr/lib/php/${PHP_VER}/rdkafka.so
+    COPY --from=php-build /usr/lib/php/${PHP_VER}/brotli.so /usr/lib/php/${PHP_VER}/brotli.so
+
     COPY --from=composer-build /tmp/Vendor /var/www/MISP/app/Vendor
     COPY --from=composer-build /tmp/Plugin /var/www/MISP/app/Plugin
+    
+    RUN for dir in /etc/php/*; do echo "extension=rdkafka.so" > "$dir/mods-available/rdkafka.ini"; done; phpenmod rdkafka
+    RUN for dir in /etc/php/*; do echo "extension=brotli.so" > "$dir/mods-available/brotli.ini"; done; phpenmod brotli
+
     RUN for dir in /etc/php/*; do echo "extension=ssdeep.so" > "$dir/mods-available/ssdeep.ini"; done \
-        ;phpenmod redis \
+            ;phpenmod redis \
     # Enable CakeResque with php-gnupgp
         ;phpenmod gnupg \
     # Enable ssdeep we build earlier
diff --git a/server/files/entrypoint_nginx.sh b/server/files/entrypoint_nginx.sh
index 4feeb12..7371159 100755
--- a/server/files/entrypoint_nginx.sh
+++ b/server/files/entrypoint_nginx.sh
@@ -169,6 +169,17 @@ if [[ ! "$SECURESSL" == true && ! -f /etc/nginx/certs/dhparams.pem ]]; then
     openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048
 fi
 
+if [[ $CERTAUTH = @(optional|on) ]]; then
+    echo "Configure NGINX | Enabling SSL Cert Authentication"
+    grep -qF "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" >> /etc/nginx/snippets/fastcgi-php.conf
+    grep -qF "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" >> /etc/nginx/snippets/fastcgi-php.conf
+    grep -qF 'ssl_client_certificate' /etc/nginx/sites-enabled/misp || sed -i '/ssl_prefer_server_ciphers/a \\    ssl_client_certificate /etc/nginx/certs/ca.pem;' /etc/nginx/sites-enabled/misp
+    grep -qF 'ssl_verify_client' /etc/nginx/sites-enabled/misp || sed -i "/ssl_prefer_server_ciphers/a \\    ssl_verify_client $CERTAUTH;" /etc/nginx/sites-enabled/misp 
+
+    echo "Configure bootstrap | Enabling Cert Auth Plugin - Don't forget to configure it https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth (Step 2)" 
+    sed -i "s/\/\/ CakePlugin::load('CertAuth');/CakePlugin::load('CertAuth');/" $MISP_APP_CONFIG_PATH/bootstrap.php
+fi
+
 if [[ "$DISIPV6" == true ]]; then
     echo "Configure NGINX | Disabling IPv6"
     sed -i "s/listen \[\:\:\]/\#listen \[\:\:\]/" /etc/nginx/sites-enabled/misp80