diff --git a/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix b/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix
new file mode 100644
index 000000000000..ce0a20de329c
--- /dev/null
+++ b/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix
@@ -0,0 +1,88 @@
+{ stdenv
+, fetchFromGitHub
+, fetchurl
+, lib
+, curl
+, nlohmann_json
+, openssl
+, pkg-config
+, linkFarmFromDrvs
+}:
+
+let
+  # Although those headers are also included in the source of `sgx-psw`, the `azure-dcap-client` build needs specific versions
+  filterSparse = list: ''
+    cp -r "$out"/. .
+    find "$out" -mindepth 1 -delete
+    cp ${lib.concatStringsSep " " list} "$out/"
+  '';
+  headers = linkFarmFromDrvs "azure-dcpa-client-intel-headers" [
+    (fetchFromGitHub rec {
+      name = "${repo}-headers";
+      owner = "intel";
+      repo = "SGXDataCenterAttestationPrimitives";
+      rev = "0436284f12f1bd5da7e7a06f6274d36b4c8d39f9";
+      sparseCheckout = [ "QuoteGeneration/quote_wrapper/common/inc/sgx_ql_lib_common.h" ];
+      hash = "sha256-ipKpYHbiwjCUXF/pCArJZy5ko1YX2wqMMdSnMUzhkgY=";
+      postFetch = filterSparse sparseCheckout;
+    })
+    (fetchFromGitHub rec {
+      name = "${repo}-headers";
+      owner = "intel";
+      repo = "linux-sgx";
+      rev = "1ccf25b64abd1c2eff05ead9d14b410b3c9ae7be";
+      hash = "sha256-WJRoS6+NBVJrFmHABEEDpDhW+zbWFUl65AycCkRavfs=";
+      sparseCheckout = [
+        "common/inc/sgx_report.h"
+        "common/inc/sgx_key.h"
+        "common/inc/sgx_attributes.h"
+      ];
+      postFetch = filterSparse sparseCheckout;
+    })
+  ];
+in
+stdenv.mkDerivation rec {
+  pname = "azure-dcap-client";
+  version = "1.11.2";
+
+  src = fetchFromGitHub {
+    owner = "microsoft";
+    repo = pname;
+    rev = version;
+    hash = "sha256-EYj3jnzTyJRl6N7avNf9VrB8r9U6zIE6wBNeVsMtWCA=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+  ];
+
+  buildInputs = [
+    curl
+    nlohmann_json
+    openssl
+  ];
+
+  postPatch = ''
+    mkdir -p src/Linux/ext/intel
+    find -L '${headers}' -type f -exec ln -s {} src/Linux/ext/intel \;
+
+    substitute src/Linux/Makefile{.in,} \
+      --replace '##CURLINC##' '${curl.dev}/include/curl/' \
+      --replace '$(TEST_SUITE): $(PROVIDER_LIB) $(TEST_SUITE_OBJ)' '$(TEST_SUITE): $(TEST_SUITE_OBJ)'
+  '';
+
+  NIX_CFLAGS_COMPILE = "-Wno-deprecated-declarations";
+
+  makeFlags = [
+    "-C src/Linux"
+    "prefix=$(out)"
+  ];
+
+  meta = with lib; {
+    description = "Interfaces between SGX SDKs and the Azure Attestation SGX Certification Cache";
+    homepage = "https://github.com/microsoft/azure-dcap-client";
+    maintainers = with maintainers; [ trundle veehaitch ];
+    platforms = [ "x86_64-linux" ];
+    license = [ licenses.mit ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 28ceea8c98bf..dd6d12eb346b 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -25808,6 +25808,8 @@ with pkgs;
 
   seturgent = callPackage ../os-specific/linux/seturgent { };
 
+  sgx-azure-dcap-client = callPackage ../os-specific/linux/sgx/azure-dcap-client { };
+
   sgx-sdk = callPackage ../os-specific/linux/sgx/sdk { };
 
   sgx-ssl = callPackage ../os-specific/linux/sgx/ssl { };