diff --git a/envoy/extensions/transport_sockets/tls/v3/common.proto b/envoy/extensions/transport_sockets/tls/v3/common.proto
index 9bdd80a3..4bf26890 100644
--- a/envoy/extensions/transport_sockets/tls/v3/common.proto
+++ b/envoy/extensions/transport_sockets/tls/v3/common.proto
@@ -288,7 +288,7 @@ message SubjectAltNameMatcher {
   type.matcher.v3.StringMatcher matcher = 2 [(validate.rules).message = {required: true}];
 }
 
-// [#next-free-field: 16]
+// [#next-free-field: 17]
 message CertificateValidationContext {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.auth.CertificateValidationContext";
@@ -486,4 +486,11 @@ message CertificateValidationContext {
   // If this option is set to true, only the certificate at the end of the
   // certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.
   bool only_verify_leaf_cert_crl = 14;
+
+  // Config for the max number of intermediate certificates in chain that are parsed during verification.
+  // This does not include the leaf certificate. If configured, and the certificate chain is longer than allowed, the certificates
+  // above the limit are ignored, and certificate validation will fail. The default limit is 100,
+  // though this can be system-dependent.
+  // https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_verify_depth.html
+  google.protobuf.UInt32Value max_verify_depth = 16 [(validate.rules).uint32 = {lte: 100}];
 }