diff --git a/autocert/examples/hello-mtls/node/Dockerfile.server b/autocert/examples/hello-mtls/node/Dockerfile.server
new file mode 100644
index 00000000..6d8793f5
--- /dev/null
+++ b/autocert/examples/hello-mtls/node/Dockerfile.server
@@ -0,0 +1,6 @@
+FROM node:lts-alpine
+
+RUN mkdir /src
+ADD server.js /src
+
+CMD ["node", "/src/server.js"]
diff --git a/autocert/examples/hello-mtls/node/hello-mtls.server.yaml b/autocert/examples/hello-mtls/node/hello-mtls.server.yaml
new file mode 100644
index 00000000..1da6b602
--- /dev/null
+++ b/autocert/examples/hello-mtls/node/hello-mtls.server.yaml
@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels: {app: hello-mtls}
+  name: hello-mtls
+spec:
+  type: ClusterIP
+  ports:
+  - port: 443
+    targetPort: 443
+  selector: {app: hello-mtls}
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hello-mtls
+  labels: {app: hello-mtls}
+spec:
+  replicas: 1
+  selector: {matchLabels: {app: hello-mtls}}
+  template:
+    metadata:
+      annotations:
+        autocert.step.sm/name: hello-mtls.default.svc.cluster.local
+      labels: {app: hello-mtls}
+    spec:
+      containers:
+      - name: hello-mtls
+        image: hello-mtls-server-node:latest
+        imagePullPolicy: Never
+        resources: {requests: {cpu: 10m, memory: 20Mi}}
diff --git a/autocert/examples/hello-mtls/node/server.js b/autocert/examples/hello-mtls/node/server.js
new file mode 100644
index 00000000..48550e7e
--- /dev/null
+++ b/autocert/examples/hello-mtls/node/server.js
@@ -0,0 +1,40 @@
+const https = require('https');
+const tls = require('tls');
+const fs = require('fs');
+
+var config = {
+    ca: '/var/run/autocert.step.sm/root.crt',
+    key: '/var/run/autocert.step.sm/site.key',
+    cert: '/var/run/autocert.step.sm/site.crt',
+    ciphers: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256',
+    minVersion: 'TLSv1.2',
+    maxVersion: 'TLSv1.2'
+}
+
+function createSecureContext() {
+    return tls.createSecureContext({
+        ca: fs.readFileSync(config.ca),
+        key: fs.readFileSync(config.key),
+        cert: fs.readFileSync(config.cert),
+        ciphers: config.ciphers,
+    });
+}
+
+var ctx = createSecureContext()
+
+fs.watch(config.cert, (event, filename) => {
+    if (event == 'change') {
+        ctx = createSecureContext()
+    }
+});
+
+https.createServer({
+    requestCert: true,
+    rejectUnauthorized: true,
+    SNICallback: (servername, cb) => {
+        cb(null, ctx);
+    }
+}, (req, res) => {
+    res.writeHead(200);
+    res.end('hello nodejs\n');
+}).listen(443);