diff --git a/openssl/src/c_helpers.c b/openssl/src/c_helpers.c
index dfbfbf81e6dae07871de9a430a17012ebe4bdf51..1b48565e479440cabefc7798819cf53cd8fa71e8 100644
--- a/openssl/src/c_helpers.c
+++ b/openssl/src/c_helpers.c
@@ -11,3 +11,7 @@ void rust_SSL_CTX_clone(SSL_CTX *ctx) {
 void rust_EVP_PKEY_clone(EVP_PKEY *pkey) {
     CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
 }
+
+void rust_X509_clone(X509 *x509) {
+    CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509);
+}
diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs
index ffd478ef554e3f105a7d417c82b866390519f112..f31de89b35ed008f1d9ac94bc9d41958810ff9e3 100644
--- a/openssl/src/x509/mod.rs
+++ b/openssl/src/x509/mod.rs
@@ -507,6 +507,20 @@ impl<'ctx> X509<'ctx> {
     }
 }
 
+extern "C" {
+    fn rust_X509_clone(x509: *mut ffi::X509);
+}
+
+impl<'ctx> Clone for X509<'ctx> {
+    fn clone(&self) -> X509<'ctx> {
+        unsafe { rust_X509_clone(self.handle) }
+        /* FIXME: given that we now have refcounting control, 'owned' should be uneeded, the 'ctx
+         * is probably also uneeded. We can remove both to condense the x509 api quite a bit
+         */
+        X509::new(self.handle, true)
+    }
+}
+
 impl<'ctx> Drop for X509<'ctx> {
     fn drop(&mut self) {
         if self.owned {