diff --git a/httpd-2.4.48-ssl-proxy-chains.patch b/httpd-2.4.48-ssl-proxy-chains.patch
new file mode 100644
index 0000000..95c31c8
--- /dev/null
+++ b/httpd-2.4.48-ssl-proxy-chains.patch
@@ -0,0 +1,79 @@
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index 15f68f9..e67c81d 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -1682,6 +1682,10 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
+     STACK_OF(X509) *chain;
+     X509_STORE_CTX *sctx;
+     X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);
++    int addl_chain = 0; /* non-zero if additional chain certs were
++                         * added to store */
++
++    ap_assert(store != NULL); /* safe to assume always non-NULL? */
+ 
+ #if OPENSSL_VERSION_NUMBER >= 0x1010100fL
+     /* For OpenSSL >=1.1.1, turn on client cert support which is
+@@ -1707,20 +1711,28 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
+         ssl_init_ca_cert_path(s, ptemp, pkp->cert_path, NULL, sk);
+     }
+ 
+-    if ((ncerts = sk_X509_INFO_num(sk)) <= 0) {
+-        sk_X509_INFO_free(sk);
+-        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02206)
+-                     "no client certs found for SSL proxy");
+-        return APR_SUCCESS;
+-    }
+-
+     /* Check that all client certs have got certificates and private
+-     * keys. */
+-    for (n = 0; n < ncerts; n++) {
++     * keys.  Note the number of certs in the stack may decrease
++     * during the loop. */
++    for (n = 0; n < sk_X509_INFO_num(sk); n++) {
+         X509_INFO *inf = sk_X509_INFO_value(sk, n);
++        int has_privkey = inf->x_pkey && inf->x_pkey->dec_pkey;
+ 
+-        if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey ||
+-            inf->enc_data) {
++        /* For a lone certificate in the file, trust it as a
++         * CA/intermediate certificate. */
++        if (inf->x509 && !has_privkey && !inf->enc_data) {
++            ssl_log_xerror(SSLLOG_MARK, APLOG_DEBUG, 0, ptemp, s, inf->x509,
++                           APLOGNO(10261) "Trusting non-leaf certificate");
++            X509_STORE_add_cert(store, inf->x509); /* increments inf->x509 */
++            /* Delete from the stack and iterate again. */
++            X509_INFO_free(inf);
++            sk_X509_INFO_delete(sk, n);
++            n--;
++            addl_chain = 1;
++            continue;
++        }
++
++        if (!has_privkey || inf->enc_data) {
+             sk_X509_INFO_free(sk);
+             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
+                          "incomplete client cert configured for SSL proxy "
+@@ -1737,13 +1749,21 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
+         }
+     }
+ 
++    if ((ncerts = sk_X509_INFO_num(sk)) <= 0) {
++        sk_X509_INFO_free(sk);
++        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02206)
++                     "no client certs found for SSL proxy");
++        return APR_SUCCESS;
++    }
++
+     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207)
+                  "loaded %d client certs for SSL proxy",
+                  ncerts);
+     pkp->certs = sk;
+ 
+-
+-    if (!pkp->ca_cert_file || !store) {
++    /* If any chain certs are configured, build the ->ca_certs chains
++     * corresponding to the loaded keypairs. */
++    if (!pkp->ca_cert_file && !addl_chain) {
+         return APR_SUCCESS;
+     }
+ 
diff --git a/httpd.spec b/httpd.spec
index cc84559..1186331 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.48
-Release: 7%{?dist}
+Release: 8%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@@ -89,6 +89,8 @@ Patch46: httpd-2.4.48-proxy-ws-idle-timeout.patch
 Patch47: httpd-2.4.43-pr37355.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1949606
 Patch48: httpd-2.4.46-freebind.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1950021
+Patch49: httpd-2.4.48-ssl-proxy-chains.patch
 
 
 # Bug fixes
@@ -102,6 +104,7 @@ Patch64: httpd-2.4.48-full-release.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1950011
 Patch65: httpd-2.4.48-r1877397.patch
 
+
 # Security fixes
 
 License: ASL 2.0
@@ -249,6 +252,7 @@ written in the Lua programming language.
 %patch46 -p1 -b .proxy-ws-idle-timeout
 %patch47 -p1 -b .pr37355
 %patch48 -p1 -b .freebind
+%patch49 -p1 -b .ssl-proxy-chains
 
 %patch60 -p1 -b .enable-sslv3
 %patch61 -p1 -b .htcacheclean-dont-break
@@ -797,6 +801,10 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Thu Jul 01 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-8
+- Resolves: #1950021 - [RFE] Update httpd directive SSLProxyMachineCertificateFile
+  to be able to handle certs without matching private key
+
 * Thu Jul 01 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-7
 - Resolves: #1950011 - unorderly connection close when client attempts
   renegotiation