diff --git a/lib/client/ca_export.go b/lib/client/ca_export.go
index 36ee3d1f5ec1b..f273ff25aeb2f 100644
--- a/lib/client/ca_export.go
+++ b/lib/client/ca_export.go
@@ -116,6 +116,13 @@ func exportAuth(ctx context.Context, client auth.ClientI, req ExportAuthoritiesR
 			ExportPrivateKeys: exportSecrets,
 		}
 		return exportTLSAuthority(ctx, client, req)
+	case "tls-spiffe":
+		req := exportTLSAuthorityRequest{
+			AuthType:          types.SPIFFECA,
+			UnpackPEM:         false,
+			ExportPrivateKeys: exportSecrets,
+		}
+		return exportTLSAuthority(ctx, client, req)
 	case "db":
 		req := exportTLSAuthorityRequest{
 			AuthType:          types.DatabaseCA,
diff --git a/tool/tctl/common/auth_command.go b/tool/tctl/common/auth_command.go
index 06ec9ef9ba239..b525668dc5c5c 100644
--- a/tool/tctl/common/auth_command.go
+++ b/tool/tctl/common/auth_command.go
@@ -192,6 +192,7 @@ var allowedCertificateTypes = []string{
 	"tls-host",
 	"tls-user",
 	"tls-user-der",
+	"tls-spiffe",
 	"windows",
 	"db",
 	"db-der",