diff --git a/http.c b/http.c
index 6d27165f..9b539d56 100644
--- a/http.c
+++ b/http.c
@@ -32,10 +32,9 @@
 #include <pwd.h>
 #include <sys/stat.h>
 #include <sys/types.h>
-
-#include <openssl/ssl.h>
-#include <openssl/err.h>
-#include <openssl/engine.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <stdio.h>
 
 #include "openconnect-internal.h"
 
@@ -441,10 +440,8 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
 	close(fd);
 
 	if (!fork()) {
-		X509 *scert = SSL_get_peer_certificate(vpninfo->https_ssl);
-		X509 *ccert = SSL_get_certificate(vpninfo->https_ssl);
-		char scertbuf[EVP_MAX_MD_SIZE * 2 + 1];
-		char ccertbuf[EVP_MAX_MD_SIZE * 2 + 1];
+		char scertbuf[MD5_SIZE * 2 + 1];
+		char ccertbuf[MD5_SIZE * 2 + 1];
 		char *csd_argv[32];
 		int i = 0;
 
@@ -490,15 +487,13 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
 		if (asprintf(&csd_argv[i++], "\"%s\"", vpninfo->authgroup?:"") == -1)
 			return -ENOMEM;
 
-		get_cert_md5_fingerprint(vpninfo, scert, scertbuf);
-		if (ccert)
-			get_cert_md5_fingerprint(vpninfo, ccert, ccertbuf);
-		else
-			ccertbuf[0] = 0;
-
+		openconnect_local_cert_md5(vpninfo, ccertbuf);
+		scertbuf[0] = 0;
+		get_cert_md5_fingerprint(vpninfo, vpninfo->peer_cert, scertbuf);
 		csd_argv[i++]= (char *)"-certhash";
 		if (asprintf(&csd_argv[i++], "\"%s:%s\"", scertbuf, ccertbuf) == -1)
 			return -ENOMEM;
+
 		csd_argv[i++]= (char *)"-url";
 		if (asprintf(&csd_argv[i++], "\"https://%s%s\"", vpninfo->hostname, vpninfo->csd_starturl) == -1)
 			return -ENOMEM;
diff --git a/openconnect-internal.h b/openconnect-internal.h
index 06902fb7..be75d2a3 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -49,6 +49,7 @@
 #define N_(s) s
 
 #define SHA1_SIZE 20
+#define MD5_SIZE 16
 
 /****************************************************************************/
 
@@ -296,6 +297,8 @@ int get_cert_md5_fingerprint(struct openconnect_info *vpninfo, X509 *cert,
 void openconnect_report_ssl_errors(struct openconnect_info *vpninfo);
 int openconnect_sha1(unsigned char *result, void *data, int len);
 int openconnect_random(void *bytes, int len);
+int openconnect_local_cert_md5(struct openconnect_info *vpninfo,
+			       char *buf);
 
 /* mainloop.c */
 int vpn_add_pollfd(struct openconnect_info *vpninfo, int fd, short events);
diff --git a/openssl.c b/openssl.c
index 740ff5d0..61366bfa 100644
--- a/openssl.c
+++ b/openssl.c
@@ -1166,3 +1166,17 @@ char *openconnect_get_cert_details(struct openconnect_info *vpninfo,
 	return ret;
 }
 
+
+int openconnect_local_cert_md5(struct openconnect_info *vpninfo,
+			       char *buf)
+{
+	buf[0] = 0;
+
+	if (!vpninfo->cert_x509)
+		return -EIO;
+
+	if (get_cert_md5_fingerprint(vpninfo, vpninfo->cert_x509, buf))
+		return -EIO;
+
+	return 0;
+}