diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index acb27411a..10bc6369a 100644
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -1634,11 +1634,17 @@ struct x509_chain * x509_alloc_chain ( void ) {
  */
 int x509_append ( struct x509_chain *chain, struct x509_certificate *cert ) {
 	struct x509_link *link;
+	int rc;
+
+	/* Ensure allocation of link cannot invalidate certificate */
+	x509_get ( cert );
 
 	/* Allocate link */
 	link = zalloc ( sizeof ( *link ) );
-	if ( ! link )
-		return -ENOMEM;
+	if ( ! link ) {
+		rc = -ENOMEM;
+		goto err_alloc;
+	}
 
 	/* Add link to chain */
 	link->cert = x509_get ( cert );
@@ -1646,7 +1652,12 @@ int x509_append ( struct x509_chain *chain, struct x509_certificate *cert ) {
 	DBGC ( chain, "X509 chain %p added X509 %p \"%s\"\n",
 	       chain, cert, x509_name ( cert ) );
 
-	return 0;
+	/* Success */
+	rc = 0;
+
+	x509_put ( cert );
+ err_alloc:
+	return rc;
 }
 
 /**
diff --git a/src/net/tls.c b/src/net/tls.c
index 4c135f090..643b9292d 100644
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -2470,9 +2470,6 @@ static int tls_new_certificate_request ( struct tls_connection *tls,
 	/* Determine client certificate to be sent, if any */
 	cert = x509_find_key ( NULL, tls->client.key );
 	if ( cert ) {
-
-		/* Get temporary reference to certificate */
-		x509_get ( cert );
 		DBGC ( tls, "TLS %p selected client certificate %s\n",
 		       tls, x509_name ( cert ) );
 
@@ -2491,14 +2488,10 @@ static int tls_new_certificate_request ( struct tls_connection *tls,
 		       "to private key\n", tls );
 	}
 
-	/* Drop local reference (if any) to client certificate */
-	x509_put ( cert );
-
 	return 0;
 
  err_auto_append:
  err_append:
-	x509_put ( cert );
 	x509_chain_put ( tls->client.chain );
 	tls->client.chain = NULL;
  err_alloc: