diff --git a/ssl/crypto_misc.h b/ssl/crypto_misc.h
index 1fd514eeb1..5b08d36e48 100644
--- a/ssl/crypto_misc.h
+++ b/ssl/crypto_misc.h
@@ -76,6 +76,7 @@ struct _x509_ctx
     uint8_t sig_type;
     RSA_CTX *rsa_ctx;
     bigint *digest;
+    bigint *fingerprint;
     struct _x509_ctx *next;
 };
 
diff --git a/ssl/x509.c b/ssl/x509.c
index 0b092111f1..7402a4d794 100644
--- a/ssl/x509.c
+++ b/ssl/x509.c
@@ -119,6 +119,13 @@ int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx)
 
     bi_ctx = x509_ctx->rsa_ctx->bi_ctx;
 
+    SHA1_CTX sha_fp_ctx;
+    uint8_t sha_fp_dgst[SHA1_SIZE];
+    SHA1_Init(&sha_fp_ctx);
+    SHA1_Update(&sha_fp_ctx, &cert[0], cert_size);
+    SHA1_Final(sha_fp_dgst, &sha_fp_ctx);
+    x509_ctx->fingerprint = bi_import(bi_ctx, sha_fp_dgst, SHA1_SIZE);
+
 #ifdef CONFIG_SSL_CERT_VERIFICATION /* only care if doing verification */
     /* use the appropriate signature algorithm (SHA1/MD5/MD2) */
     if (x509_ctx->sig_type == SIG_TYPE_MD5)
@@ -245,6 +252,11 @@ void x509_free(X509_CTX *x509_ctx)
         bi_free(x509_ctx->rsa_ctx->bi_ctx, x509_ctx->digest);
     }
 
+    if (x509_ctx->fingerprint)
+    {
+        bi_free(x509_ctx->rsa_ctx->bi_ctx, x509_ctx->fingerprint);
+    }
+
     if (x509_ctx->subject_alt_dnsnames)
     {
         for (i = 0; x509_ctx->subject_alt_dnsnames[i]; ++i)