diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
index 91456e2204..d43ad69e7b 100644
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@@ -50,6 +50,7 @@ void ssl_sock_free_srv_ctx(struct server *srv);
 void ssl_sock_free_all_ctx(struct bind_conf *bind_conf);
 int ssl_sock_load_ca(struct bind_conf *bind_conf);
 void ssl_sock_free_ca(struct bind_conf *bind_conf);
+const char *ssl_sock_get_cert_sig(struct connection *conn);
 const char *ssl_sock_get_cipher_name(struct connection *conn);
 const char *ssl_sock_get_proto_version(struct connection *conn);
 void ssl_sock_set_servername(struct connection *conn, const char *hostname);
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 555c7c4eca..0e39d10e6d 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5768,6 +5768,21 @@ int ssl_sock_get_pkey_algo(struct connection *conn, struct chunk *out)
 	return 1;
 }
 
+/* used for ppv2 cert signature (can be used for logging) */
+const char *ssl_sock_get_cert_sig(struct connection *conn)
+{
+	__OPENSSL_110_CONST__ ASN1_OBJECT *algorithm;
+	X509 *crt;
+
+	if (!ssl_sock_is_ssl(conn))
+		return NULL;
+	crt = SSL_get_certificate(conn->xprt_ctx);
+	if (!crt)
+		return NULL;
+	X509_ALGOR_get0(&algorithm, NULL, NULL, X509_get0_tbs_sigalg(crt));
+	return OBJ_nid2sn(OBJ_obj2nid(algorithm));
+}
+
 /* used for logging/ppv2, may be changed for a sample fetch later */
 const char *ssl_sock_get_cipher_name(struct connection *conn)
 {