diff --git a/libopenconnect.map.in b/libopenconnect.map.in
index 4773241c..e459764f 100644
--- a/libopenconnect.map.in
+++ b/libopenconnect.map.in
@@ -26,6 +26,7 @@ OPENCONNECT_2.0 {
 	openconnect_get_cert_details;
 	openconnect_get_cert_DER;
 	openconnect_init_ssl;
+	openconnect_has_pkcs11_support;
 };
 
 OPENCONNECT_PRIVATE {
diff --git a/library.c b/library.c
index 92b7c253..c90f32af 100644
--- a/library.c
+++ b/library.c
@@ -226,3 +226,12 @@ const char *openconnect_get_version (void)
 {
 	return openconnect_version_str;
 }
+
+int openconnect_has_pkcs11_support(void)
+{
+#if defined (OPENCONNECT_GNUTLS) && defined (HAVE_P11KIT)
+	return 1;
+#else
+	return 0;
+#endif
+}
diff --git a/openconnect.h b/openconnect.h
index e4787a75..3dd5303f 100644
--- a/openconnect.h
+++ b/openconnect.h
@@ -36,6 +36,7 @@
 /*
  * API version 2.0:
  *  - OPENCONNECT_X509 is now an opaque type.
+ *  - Add openconnect_has_pkcs11_support()
  *  - Rename openconnect_init_openssl() -> openconnect_init_ssl()
  *  - Rename openconnect_vpninfo_new_with_cbdata() -> openconnect_vpninfo_new()
  *    and kill the old openconnect_vpninfo_new() and its callback types.
@@ -232,4 +233,8 @@ struct openconnect_info *openconnect_vpninfo_new (char *useragent,
 						  void *privdata);
 void openconnect_vpninfo_free (struct openconnect_info *vpninfo);
 
+/* SSL certificate capabilities. openconnect_has_pkcs11_support() means that we
+   can accept PKCS#11 URLs in place of filenames, for the certificate and key. */
+int openconnect_has_pkcs11_support(void);
+
 #endif /* __OPENCONNECT_H__ */