diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java
index 3eba6d53ee..251ed0c9e5 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
  */
 package org.springframework.security.config.annotation.web.configurers;
 
-import javax.servlet.http.HttpServletRequest;
-
 import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
@@ -32,6 +30,9 @@ import org.springframework.security.web.authentication.preauth.PreAuthenticatedA
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails;
 import org.springframework.security.web.authentication.preauth.x509.SubjectDnX509PrincipalExtractor;
 import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
+import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;
+
+import javax.servlet.http.HttpServletRequest;
 
 /**
  * Adds X509 based pre authentication to an application. Since validating the certificate
@@ -40,7 +41,7 @@ import org.springframework.security.web.authentication.preauth.x509.X509Authenti
  * certificate to look up the {@link Authentication} for the user.
  *
  * <h2>Security Filters</h2>
- *
+ * <p>
  * The following Filters are populated
  *
  * <ul>
@@ -48,7 +49,7 @@ import org.springframework.security.web.authentication.preauth.x509.X509Authenti
  * </ul>
  *
  * <h2>Shared Objects Created</h2>
- *
+ * <p>
  * The following shared objects are created
  *
  * <ul>
@@ -61,7 +62,7 @@ import org.springframework.security.web.authentication.preauth.x509.X509Authenti
  * </ul>
  *
  * <h2>Shared Objects Used</h2>
- *
+ * <p>
  * The following shared objects are used:
  *
  * <ul>
@@ -75,12 +76,13 @@ import org.springframework.security.web.authentication.preauth.x509.X509Authenti
 public final class X509Configurer<H extends HttpSecurityBuilder<H>> extends
 		AbstractHttpConfigurer<X509Configurer<H>, H> {
 	private X509AuthenticationFilter x509AuthenticationFilter;
+	private X509PrincipalExtractor x509PrincipalExtractor;
 	private AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> authenticationUserDetailsService;
-	private String subjectPrincipalRegex;
 	private AuthenticationDetailsSource<HttpServletRequest, PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails> authenticationDetailsSource;
 
 	/**
 	 * Creates a new instance
+	 *
 	 * @see HttpSecurity#x509()
 	 */
 	public X509Configurer() {
@@ -100,6 +102,17 @@ public final class X509Configurer<H extends HttpSecurityBuilder<H>> extends
 		return this;
 	}
 
+	/**
+	 * Specifies the {@link X509PrincipalExtractor}
+	 *
+	 * @param x509PrincipalExtractor the {@link X509PrincipalExtractor} to use
+	 * @return the {@link X509Configurer} to use
+	 */
+	public X509Configurer<H> x509PrincipalExtractor(X509PrincipalExtractor x509PrincipalExtractor) {
+		this.x509PrincipalExtractor = x509PrincipalExtractor;
+		return this;
+	}
+
 	/**
 	 * Specifies the {@link AuthenticationDetailsSource}
 	 *
@@ -131,8 +144,7 @@ public final class X509Configurer<H extends HttpSecurityBuilder<H>> extends
 	 * the shared {@link UserDetailsService} will be used to create a
 	 * {@link UserDetailsByNameServiceWrapper}.
 	 *
-	 * @param authenticationUserDetailsService the
-	 * {@link AuthenticationUserDetailsService} to use
+	 * @param authenticationUserDetailsService the {@link AuthenticationUserDetailsService} to use
 	 * @return the {@link X509Configurer} for further customizations
 	 */
 	public X509Configurer<H> authenticationUserDetailsService(
@@ -147,11 +159,13 @@ public final class X509Configurer<H extends HttpSecurityBuilder<H>> extends
 	 * used.
 	 *
 	 * @param subjectPrincipalRegex the regex to extract the user principal from the
-	 * certificate (i.e. "CN=(.*?)(?:,|$)").
+	 *                              certificate (i.e. "CN=(.*?)(?:,|$)").
 	 * @return the {@link X509Configurer} for further customizations
 	 */
 	public X509Configurer<H> subjectPrincipalRegex(String subjectPrincipalRegex) {
-		this.subjectPrincipalRegex = subjectPrincipalRegex;
+		SubjectDnX509PrincipalExtractor principalExtractor = new SubjectDnX509PrincipalExtractor();
+		principalExtractor.setSubjectDnRegex(subjectPrincipalRegex);
+		this.x509PrincipalExtractor = principalExtractor;
 		return this;
 	}
 
@@ -178,10 +192,8 @@ public final class X509Configurer<H extends HttpSecurityBuilder<H>> extends
 		if (x509AuthenticationFilter == null) {
 			x509AuthenticationFilter = new X509AuthenticationFilter();
 			x509AuthenticationFilter.setAuthenticationManager(authenticationManager);
-			if (subjectPrincipalRegex != null) {
-				SubjectDnX509PrincipalExtractor principalExtractor = new SubjectDnX509PrincipalExtractor();
-				principalExtractor.setSubjectDnRegex(subjectPrincipalRegex);
-				x509AuthenticationFilter.setPrincipalExtractor(principalExtractor);
+			if (x509PrincipalExtractor != null) {
+				x509AuthenticationFilter.setPrincipalExtractor(x509PrincipalExtractor);
 			}
 			if (authenticationDetailsSource != null) {
 				x509AuthenticationFilter