diff --git a/src/crypto/certstore.c b/src/crypto/certstore.c
index e62d8330..9809413a 100644
--- a/src/crypto/certstore.c
+++ b/src/crypto/certstore.c
@@ -145,6 +145,20 @@ void certstore_add ( struct x509_certificate *cert ) {
 	       x509_name ( cert ) );
 }
 
+/**
+ * Remove certificate from store
+ *
+ * @v cert		X.509 certificate
+ */
+void certstore_del ( struct x509_certificate *cert ) {
+
+	/* Remove certificate from store */
+	DBGC ( &certstore, "CERTSTORE removed certificate %s\n",
+	       x509_name ( cert ) );
+	list_del ( &cert->store.list );
+	x509_put ( cert );
+}
+
 /**
  * Discard a stored certificate
  *
@@ -158,10 +172,7 @@ static unsigned int certstore_discard ( void ) {
 	 */
 	list_for_each_entry_reverse ( cert, &certstore.links, store.list ) {
 		if ( cert->refcnt.count == 0 ) {
-			DBGC ( &certstore, "CERTSTORE discarded certificate "
-			       "%s\n", x509_name ( cert ) );
-			list_del ( &cert->store.list );
-			x509_put ( cert );
+			certstore_del ( cert );
 			return 1;
 		}
 	}
diff --git a/src/include/ipxe/certstore.h b/src/include/ipxe/certstore.h
index 49b3b512..e4c789cf 100644
--- a/src/include/ipxe/certstore.h
+++ b/src/include/ipxe/certstore.h
@@ -17,5 +17,6 @@ extern struct x509_chain certstore;
 extern struct x509_certificate * certstore_find ( struct asn1_cursor *raw );
 extern struct x509_certificate * certstore_find_key ( struct asn1_cursor *key );
 extern void certstore_add ( struct x509_certificate *cert );
+extern void certstore_del ( struct x509_certificate *cert );
 
 #endif /* _IPXE_CERTSTORE_H */