diff --git a/core/Network/TLS.hs b/core/Network/TLS.hs
index e608ea853..b04bd1939 100644
--- a/core/Network/TLS.hs
+++ b/core/Network/TLS.hs
@@ -109,6 +109,7 @@ module Network.TLS
     , unClientRandom
     , unServerRandom
     , HandshakeMode13(..)
+    , getClientCertificateChain
     -- ** Negotiated
     , getNegotiatedProtocol
     , getClientSNI
@@ -170,6 +171,7 @@ import Network.TLS.Hooks
 import Network.TLS.Measurement
 import Network.TLS.Parameters
 import Network.TLS.Session
+import qualified Network.TLS.State as S
 import Network.TLS.Struct ( TLSError(..), TLSException(..)
                           , HashAndSignatureAlgorithm, HashAlgorithm(..), SignatureAlgorithm(..)
                           , Header(..), ProtocolType(..), CertificateType(..)
@@ -186,3 +188,11 @@ import Data.X509.Validation hiding (HostName)
 
 {-# DEPRECATED Bytes "Use Data.ByteString.Bytestring instead of Bytes." #-}
 type Bytes = B.ByteString
+
+-- | Getting certificates from a client, if any.
+--   Note that the certificates are not sent by a client
+--   on resumption even if client authentication is required.
+--   So, this API would be replaced by the one which can treat
+--   both cases of full-negotiation and resumption.
+getClientCertificateChain :: Context -> IO (Maybe CertificateChain)
+getClientCertificateChain ctx = usingState_ ctx S.getClientCertificateChain