diff --git a/client.go b/client.go
index b6024afc..6e82cf66 100644
--- a/client.go
+++ b/client.go
@@ -6,6 +6,7 @@ package plugin
 import (
 	"bufio"
 	"context"
+	"crypto/elliptic"
 	"crypto/subtle"
 	"crypto/tls"
 	"crypto/x509"
@@ -232,6 +233,11 @@ type ClientConfig struct {
 	// You cannot Reattach to a server with this option enabled.
 	AutoMTLS bool
 
+	// AutoMTLSCurve is the elliptic curve to use for generating the certificates
+	// used for AutoMTLS.
+	// If this is nil, then the default of elliptic.P521() is used.
+	AutoMTLSCurve elliptic.Curve
+
 	// GRPCDialOptions allows plugin users to pass custom grpc.DialOption
 	// to create gRPC connections. This only affects plugins using the gRPC
 	// protocol.
@@ -393,6 +399,10 @@ func NewClient(config *ClientConfig) (c *Client) {
 		})
 	}
 
+	if config.AutoMTLSCurve == nil {
+		config.AutoMTLSCurve = defaultMTLSCurve
+	}
+
 	c = &Client{
 		config: config,
 		logger: config.Logger,
@@ -630,7 +640,7 @@ func (c *Client) Start() (addr net.Addr, err error) {
 	// certificate to the plugin.
 	if c.config.AutoMTLS {
 		c.logger.Info("configuring client automatic mTLS")
-		certPEM, keyPEM, err := generateCert()
+		certPEM, keyPEM, err := generateCert(c.config.AutoMTLSCurve)
 		if err != nil {
 			c.logger.Error("failed to generate client certificate", "error", err)
 			return nil, err
diff --git a/mtls.go b/mtls.go
index 09ecafaf..d4c75273 100644
--- a/mtls.go
+++ b/mtls.go
@@ -15,10 +15,13 @@ import (
 	"time"
 )
 
+// defaultMTLSCurve is the default curve used for generating mTLS certificates.
+var defaultMTLSCurve = elliptic.P521()
+
 // generateCert generates a temporary certificate for plugin authentication. The
 // certificate and private key are returns in PEM format.
-func generateCert() (cert []byte, privateKey []byte, err error) {
-	key, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
+func generateCert(c elliptic.Curve) (cert []byte, privateKey []byte, err error) {
+	key, err := ecdsa.GenerateKey(c, rand.Reader)
 	if err != nil {
 		return nil, nil, err
 	}
diff --git a/server.go b/server.go
index 4b0f2b76..e93e9450 100644
--- a/server.go
+++ b/server.go
@@ -5,6 +5,7 @@ package plugin
 
 import (
 	"context"
+	"crypto/elliptic"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
@@ -100,6 +101,12 @@ type ServeConfig struct {
 	//   * Connection information will not be sent to stdout
 	//
 	Test *ServeTestConfig
+
+	// AutoMTLSCurve is the elliptic curve to use for generating the certificates
+	// used for AutoMTLS.
+	// This is only used if the client is configured to use AutoMTLS.
+	// If this is nil, then the default of elliptic.P521() is used.
+	AutoMTLSCurve elliptic.Curve
 }
 
 // ServeTestConfig configures plugin serving for test mode. See ServeConfig.Test.
@@ -305,7 +312,11 @@ func Serve(opts *ServeConfig) {
 			logger.Error("client cert provided but failed to parse", "cert", clientCert)
 		}
 
-		certPEM, keyPEM, err := generateCert()
+		if opts.AutoMTLSCurve == nil {
+			opts.AutoMTLSCurve = defaultMTLSCurve
+		}
+
+		certPEM, keyPEM, err := generateCert(opts.AutoMTLSCurve)
 		if err != nil {
 			logger.Error("failed to generate server certificate", "error", err)
 			panic(err)