diff --git a/configure.ac b/configure.ac
index 7e991be2..c4b78f09 100644
--- a/configure.ac
+++ b/configure.ac
@@ -196,6 +196,11 @@ AC_ARG_ENABLE([agent],
     [AS_HELP_STRING([--enable-agent],[Enable ssh-agent support (default: disabled)])],
     [ENABLED_AGENT=$enableval],[ENABLED_AGENT=no])
 
+# X.509 certs
+AC_ARG_ENABLE([certs],
+    [AS_HELP_STRING([--enable-certs],[Enable X.509 cert support (default: disabled)])],
+    [ENABLED_CERTS=$enableval],[ENABLED_CERTS=no])
+
 # smallstack
 AC_ARG_ENABLE([smallstack],
     [AS_HELP_STRING([--enable-smallstack],[Enable small stack (default: disabled)])],
@@ -221,7 +226,7 @@ AC_ARG_ENABLE([distro],
 AS_IF([test "x$ENABLED_DISTRO" = "xyes"],
       [ENABLED_ALL=yes; enable_shared=yes; enable_static=yes])
 AS_IF([test "x$ENABLED_ALL" = "xyes"],
-      [ENABLED_KEYGEN=yes; ENABLED_SCP=yes; ENABLED_SFTP=yes; ENABLED_FWD=yes; ENABLED_SHELL=yes; ENABLED_AGENT=yes; ENABLED_SSHD=yes])
+      [ENABLED_KEYGEN=yes; ENABLED_SCP=yes; ENABLED_SFTP=yes; ENABLED_FWD=yes; ENABLED_SHELL=yes; ENABLED_AGENT=yes; ENABLED_SSHD=yes; ENABLED_CERTS=yes])
 AS_IF([test "x$ENABLED_SSHD" = "xyes"],
       [ENABLED_SHELL=yes])
 
@@ -241,6 +246,7 @@ AS_IF([test "x$ENABLED_PTERM" = "xyes"],
 AS_IF([test "x$ENABLED_SHELL" = "xyes"],
       [AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSH_SHELL"])
 AS_IF([test "x$ENABLED_AGENT" = "xyes"],[AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSH_AGENT"])
+AS_IF([test "x$ENABLED_CERTS" = "xyes"],[AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSH_CERTS"])
 AS_IF([test "x$ENABLED_SMALLSTACK" = "xyes"],
        [AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSH_SMALL_STACK"])
 AS_IF([test "x$ENABLED_SSHD" = "xyes"],
@@ -297,6 +303,7 @@ AM_CONDITIONAL([BUILD_TERM],[test "x$ENABLED_TERM" = "xyes"])
 AM_CONDITIONAL([BUILD_SHELL],[test "x$ENABLED_SHELL" = "xyes"])
 AM_CONDITIONAL([BUILD_AGENT],[test "x$ENABLED_AGENT" = "xyes"])
 AM_CONDITIONAL([BUILD_SSHD],[test "x$ENABLED_SSHD" = "xyes"])
+AM_CONDITIONAL([BUILD_CERTS],[test "x$ENABLED_CERTS" = "xyes"])
 
 AX_HARDEN_CC_COMPILER_FLAGS
 
@@ -340,5 +347,6 @@ AS_ECHO(["   * sftp:                      $ENABLED_SFTP"])
 AS_ECHO(["   * sshd:                      $ENABLED_SSHD"])
 AS_ECHO(["   * agent:                     $ENABLED_AGENT"])
 AS_ECHO(["   * TCP/IP Forwarding:         $ENABLED_FWD"])
+AS_ECHO(["   * X.509 Certs:               $ENABLED_CERTS"])
 AS_ECHO(["   * Examples:                  $ENABLED_EXAMPLES"])
 AS_ECHO(["   * liboqs Integration:        $ENABLED_LIBOQS"])
diff --git a/src/certman.c b/src/certman.c
new file mode 100644
index 00000000..ee01720a
--- /dev/null
+++ b/src/certman.c
@@ -0,0 +1,60 @@
+/* certman.c
+ *
+ * Copyright (C) 2014-2021 wolfSSL Inc.
+ *
+ * This file is part of wolfSSH.
+ *
+ * wolfSSH is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSH is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with wolfSSH.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+
+/*
+ * The certman module contains utility functions wrapping the wolfSSL
+ * certificate manager functions to validate user certificates.
+ */
+
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#ifdef WOLFSSL_USER_SETTINGS
+    #include <wolfssl/wolfcrypt/settings.h>
+#else
+    #include <wolfssl/options.h>
+#endif
+
+
+#include <wolfssl/ssl.h>
+#include <wolfssl/ocsp.h>
+
+#include <wolfssh/certman.h>
+#include <wolfssh/internal.h>
+
+
+#ifdef WOLFSSH_CERTS
+
+#ifdef NO_INLINE
+    #include <wolfssh/misc.h>
+#else
+    #define WOLFSSH_MISC_INCLUDED
+    #include "src/misc.c"
+#endif
+
+int wolfSSH_CertInit(void)
+{
+    return 0;
+}
+
+#endif /* WOLFSSH_CERTS */
diff --git a/src/include.am b/src/include.am
index 16d6432b..8b70bdcc 100644
--- a/src/include.am
+++ b/src/include.am
@@ -34,3 +34,7 @@ endif
 if BUILD_AGENT
 src_libwolfssh_la_SOURCES += src/agent.c
 endif
+
+if BUILD_CERTS
+src_libwolfssh_la_SOURCES += src/certman.c
+endif
diff --git a/tests/include.am b/tests/include.am
index 7f7533ba..39093a73 100644
--- a/tests/include.am
+++ b/tests/include.am
@@ -27,6 +27,9 @@ endif
 if BUILD_FWD
 tests_unit_test_CPPFLAGS     += -DWOLFSSH_FWD
 endif
+if BUILD_CERTS
+tests_unit_test_CPPFLAGS     += -DWOLFSSH_CERTS
+endif
 tests_unit_test_LDADD        = src/libwolfssh.la
 tests_unit_test_DEPENDENCIES = src/libwolfssh.la
 
@@ -51,6 +54,9 @@ endif
 if BUILD_FWD
 tests_api_test_CPPFLAGS     += -DWOLFSSH_FWD
 endif
+if BUILD_CERTS
+tests_api_test_CPPFLAGS     += -DWOLFSSH_CERTS
+endif
 tests_api_test_LDADD         = src/libwolfssh.la
 tests_api_test_DEPENDENCIES  = src/libwolfssh.la
 
@@ -78,6 +84,9 @@ endif
 if BUILD_FWD
 tests_testsuite_test_CPPFLAGS     += -DWOLFSSH_FWD
 endif
+if BUILD_CERTS
+tests_testsuite_test_CPPFLAGS     += -DWOLFSSH_CERTS
+endif
 tests_testsuite_test_LDADD   = src/libwolfssh.la
 tests_testsuite_test_DEPENDENCIES = src/libwolfssh.la
 
diff --git a/wolfssh/certman.h b/wolfssh/certman.h
new file mode 100644
index 00000000..81b2fddd
--- /dev/null
+++ b/wolfssh/certman.h
@@ -0,0 +1,46 @@
+/* certman.h
+ *
+ * Copyright (C) 2014-2021 wolfSSL Inc.
+ *
+ * This file is part of wolfSSH.
+ *
+ * wolfSSH is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSH is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with wolfSSH.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+
+/*
+ * The certman module contains utility functions wrapping the wolfSSL
+ * certificate manager functions to validate user certificates.
+ */
+
+
+#ifndef _WOLFSSH_CERTMAN_H_
+#define _WOLFSSH_CERTMAN_H_
+
+#include <wolfssh/settings.h>
+#include <wolfssh/port.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+WOLFSSH_API int wolfSSH_CertInit(void);
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _WOLFSSH_CERTMAN_H_ */
diff --git a/wolfssh/include.am b/wolfssh/include.am
index 263d4f72..f4013bf2 100644
--- a/wolfssh/include.am
+++ b/wolfssh/include.am
@@ -4,6 +4,7 @@
 
 nobase_include_HEADERS+= \
                          wolfssh/agent.h \
+                         wolfssh/certman.h \
                          wolfssh/version.h \
                          wolfssh/ssh.h \
                          wolfssh/keygen.h \