diff --git a/include/ircd/net/net.h b/include/ircd/net/net.h
index a03ae04f7..299881e39 100644
--- a/include/ircd/net/net.h
+++ b/include/ircd/net/net.h
@@ -56,7 +56,10 @@ namespace ircd::net
 	ipport remote_ipport(const socket &) noexcept;
 	std::pair<size_t, size_t> bytes(const socket &) noexcept; // <in, out>
 	std::pair<size_t, size_t> calls(const socket &) noexcept; // <in, out>
+
 	const_buffer peer_cert_der(const mutable_buffer &, const socket &);
+	const_buffer peer_cert_der_sha256(const mutable_buffer &, const socket &);
+	string_view peer_cert_der_sha256_b64(const mutable_buffer &, const socket &);
 }
 
 // Exports to ircd::
diff --git a/ircd/net.cc b/ircd/net.cc
index fccdc606a..de9f036f0 100644
--- a/ircd/net.cc
+++ b/ircd/net.cc
@@ -67,12 +67,47 @@ ircd::net::log
 	"net", 'N'
 };
 
+ircd::string_view
+ircd::net::peer_cert_der_sha256_b64(const mutable_buffer &buf,
+                                    const socket &socket)
+{
+	thread_local char shabuf[sha256::digest_size];
+
+	const auto hash
+	{
+		peer_cert_der_sha256(shabuf, socket)
+	};
+
+	return b64encode_unpadded(buf, hash);
+}
+
+ircd::const_buffer
+ircd::net::peer_cert_der_sha256(const mutable_buffer &buf,
+                                const socket &socket)
+{
+	thread_local char derbuf[16384];
+
+	sha256
+	{
+		buf, peer_cert_der(derbuf, socket)
+	};
+
+	return
+	{
+		data(buf), sha256::digest_size
+	};
+}
+
 ircd::const_buffer
 ircd::net::peer_cert_der(const mutable_buffer &buf,
                          const socket &socket)
 {
 	const SSL &ssl(socket);
-	const X509 &cert{openssl::peer_cert(ssl)};
+	const X509 &cert
+	{
+		openssl::peer_cert(ssl)
+	};
+
 	return openssl::i2d(buf, cert);
 }