diff --git a/packages/check-cert/src/fetcher.rs b/packages/check-cert/src/fetcher.rs
index cb72732539a..e52aa3aed78 100644
--- a/packages/check-cert/src/fetcher.rs
+++ b/packages/check-cert/src/fetcher.rs
@@ -4,7 +4,6 @@
 
 use anyhow::{Context, Result};
 use openssl::ssl::{SslConnector, SslMethod, SslVerifyMode};
-use openssl::x509::X509;
 use std::net::TcpStream;
 use std::time::Duration;
 
@@ -13,7 +12,7 @@ pub fn fetch_server_cert(
     port: &u16,
     timeout: Option<Duration>,
     use_sni: bool,
-) -> Result<X509> {
+) -> Result<Vec<u8>> {
     let stream = TcpStream::connect(format!("{server}:{port}"))?;
     stream.set_read_timeout(timeout)?;
     let mut connector_builder = SslConnector::builder(SslMethod::tls())?;
@@ -33,5 +32,5 @@ pub fn fetch_server_cert(
         .context("Failed unpacking peer cert chain")?
         .to_owned();
     stream.shutdown()?;
-    Ok(cert)
+    Ok(cert.to_der()?)
 }
diff --git a/packages/check-cert/src/main.rs b/packages/check-cert/src/main.rs
index bc6b41947ef..aad592254eb 100644
--- a/packages/check-cert/src/main.rs
+++ b/packages/check-cert/src/main.rs
@@ -6,6 +6,7 @@ use anyhow::{Context, Result};
 use check_cert::{checker, fetcher, output};
 use clap::Parser;
 use openssl::asn1::Asn1Time;
+use openssl::x509::X509;
 use std::time::Duration;
 
 #[derive(Parser, Debug)]
@@ -46,7 +47,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
         std::process::exit(1);
     }
 
-    let cert = fetcher::fetch_server_cert(
+    let der = fetcher::fetch_server_cert(
         &args.url,
         &args.port,
         if args.timeout == 0 {
@@ -57,6 +58,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
         !args.disable_sni,
     )?;
 
+    let cert = X509::from_der(&der)?;
     let out = output::Output::from(vec![checker::check_validity(
         &args.url,
         cert.not_after(),