diff --git a/libfreerdp-core/tls.c b/libfreerdp-core/tls.c
index 0dbac37c6..4afc1a617 100644
--- a/libfreerdp-core/tls.c
+++ b/libfreerdp-core/tls.c
@@ -22,8 +22,37 @@
 
 #include "tls.h"
 
+static CryptoCert tls_get_certificate(rdpTls* tls)
+{
+	CryptoCert cert;
+	X509* server_cert;
+
+	server_cert = SSL_get_peer_certificate(tls->ssl);
+
+	if (!server_cert)
+	{
+		printf("ssl_verify: failed to get the server SSL certificate\n");
+		cert = NULL;
+	}
+	else
+	{
+		cert = xmalloc(sizeof(*cert));
+		cert->px509 = server_cert;
+	}
+
+	return cert;
+}
+
+static void tls_free_certificate(CryptoCert cert)
+{
+
+	X509_free(cert->px509);
+	xfree(cert);
+}
+
 boolean tls_connect(rdpTls* tls)
 {
+	CryptoCert cert;
 	int connection_status;
 
 	tls->ctx = SSL_CTX_new(TLSv1_client_method());
@@ -73,23 +102,25 @@ boolean tls_connect(rdpTls* tls)
 		}
 	}
 
-	tls->cert = tls_get_certificate(tls);
+	cert = tls_get_certificate(tls);
 
-	if (tls->cert == NULL)
+	if (cert == NULL)
 	{
 		printf("tls_connect: tls_get_certificate failed to return the server certificate.\n");
 		return false;
 	}
 
-	if (!crypto_cert_get_public_key(tls->cert, &tls->public_key))
+	if (!crypto_cert_get_public_key(cert, &tls->public_key))
 	{
 		printf("tls_connect: crypto_cert_get_public_key failed to return the server public key.\n");
 		return false;
 	}
 
-	if (!tls_verify_certificate(tls, tls->cert, tls->settings->hostname))
+	if (!tls_verify_certificate(tls, cert, tls->settings->hostname))
 		tls_disconnect(tls);
 
+	tls_free_certificate(cert);
+
 	return true;
 }
 
@@ -230,27 +261,6 @@ boolean tls_print_error(char* func, SSL* connection, int value)
 	}
 }
 
-CryptoCert tls_get_certificate(rdpTls* tls)
-{
-	CryptoCert cert;
-	X509* server_cert;
-
-	server_cert = SSL_get_peer_certificate(tls->ssl);
-
-	if (!server_cert)
-	{
-		printf("ssl_verify: failed to get the server SSL certificate\n");
-		cert = NULL;
-	}
-	else
-	{
-		cert = xmalloc(sizeof(*cert));
-		cert->px509 = server_cert;
-	}
-
-	return cert;
-}
-
 boolean tls_verify_certificate(rdpTls* tls, CryptoCert cert, char* hostname)
 {
 	int match;
diff --git a/libfreerdp-core/tls.h b/libfreerdp-core/tls.h
index e941dd0c4..057403d61 100644
--- a/libfreerdp-core/tls.h
+++ b/libfreerdp-core/tls.h
@@ -36,7 +36,6 @@ struct rdp_tls
 	SSL* ssl;
 	int sockfd;
 	SSL_CTX* ctx;
-	CryptoCert cert;
 	rdpBlob public_key;
 	rdpSettings* settings;
 	rdpCertificateStore* certificate_store;
@@ -49,7 +48,6 @@ boolean tls_disconnect(rdpTls* tls);
 int tls_read(rdpTls* tls, uint8* data, int length);
 int tls_write(rdpTls* tls, uint8* data, int length);
 
-CryptoCert tls_get_certificate(rdpTls* tls);
 boolean tls_verify_certificate(rdpTls* tls, CryptoCert cert, char* hostname);
 void tls_print_certificate_error(char* hostname, char* fingerprint);
 void tls_print_certificate_name_mismatch_error(char* hostname, char* common_name, char** alt_names, int alt_names_count);