diff --git a/doc/api/tls.md b/doc/api/tls.md
index 97bc8301f4ead1..161bc8e48421ce 100644
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@@ -487,7 +487,12 @@ changes:
     will be emitted on the socket before establishing a secure communication
   * `secureContext`: Optional TLS context object created with
     [`tls.createSecureContext()`][]. If a `secureContext` is _not_ provided, one
-    will be created by calling [`tls.createSecureContext()`][] with no options.
+    will be created by passing the entire `options` object to
+    `tls.createSecureContext()`. *Note*: In effect, all
+    [`tls.createSecureContext()`][] options can be provided, but they will be
+    _completely ignored_ unless the `secureContext` option is missing.
+  * ...: Optional [`tls.createSecureContext()`][] options can be provided, see
+    the `secureContext` option for more information.
 
 Construct a new `tls.TLSSocket` object from an existing TCP socket.
 
diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
index 3761a85181d70a..ebd36519cf1525 100644
--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@@ -351,7 +351,7 @@ TLSSocket.prototype._wrapHandle = function(wrap) {
   // Wrap socket's handle
   var context = options.secureContext ||
                 options.credentials ||
-                tls.createSecureContext();
+                tls.createSecureContext(options);
   res = tls_wrap.wrap(handle._externalStream,
                       context.context,
                       !!options.isServer);
diff --git a/test/parallel/test-tls-socket-default-options.js b/test/parallel/test-tls-socket-default-options.js
index b4c5a9754eb84e..24b7a5d34ec0fb 100644
--- a/test/parallel/test-tls-socket-default-options.js
+++ b/test/parallel/test-tls-socket-default-options.js
@@ -1,7 +1,7 @@
 'use strict';
 const common = require('../common');
 
-// Test a directly created TLS socket supports no options, and empty options.
+// Test directly created TLS sockets and options.
 
 const assert = require('assert');
 const join = require('path').join;
@@ -26,6 +26,16 @@ test({secureContext: tls.createSecureContext({ca: keys.agent1.ca})}, (err) => {
   assert.ifError(err);
 });
 
+test({ca: keys.agent1.ca}, (err) => {
+  assert.ifError(err);
+});
+
+// Secure context options, like ca, are ignored if a sec ctx is explicitly
+// provided.
+test({secureContext: tls.createSecureContext(), ca: keys.agent1.ca}, (err) => {
+  assert.strictEqual(err.message, 'unable to verify the first certificate');
+});
+
 function test(client, callback) {
   callback = common.mustCall(callback);
   connect({