diff --git a/src/common/tortls.c b/src/common/tortls.c
index 33bd334a1251c2d01a0ca466b41877beb5737897..031539894663aa423b78bb472c4d71c54448bca9 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -683,6 +683,13 @@ MOCK_IMPL(STATIC tor_x509_cert_t *,
   return cert;
 }
 
+/** Return a copy of <b>cert</b> */
+tor_x509_cert_t *
+tor_x509_cert_dup(const tor_x509_cert_t *cert)
+{
+  return tor_x509_cert_new(X509_dup(cert->cert));
+}
+
 /** Read a DER-encoded X509 cert, of length exactly <b>certificate_len</b>,
  * from a <b>certificate</b>.  Return a newly allocated tor_x509_cert_t on
  * success and NULL on failure. */
diff --git a/src/common/tortls.h b/src/common/tortls.h
index 3adb1b2f6ef5d6f35e6c6eaaef04baae2d3f2f5d..6510fdbe64be9e1a89ce444a341a6501b3c28baf 100644
--- a/src/common/tortls.h
+++ b/src/common/tortls.h
@@ -176,6 +176,7 @@ extern uint64_t total_bytes_written_by_tls;
 
 #endif /* endif TORTLS_PRIVATE */
 
+tor_x509_cert_t *tor_x509_cert_dup(const tor_x509_cert_t *cert);
 const char *tor_tls_err_to_string(int err);
 void tor_tls_get_state_description(tor_tls_t *tls, char *buf, size_t sz);