diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 920869a2f2becd..3ff95484871fce 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -1962,10 +1962,10 @@ void SSLWrap<Base>::GetCertificate(
 
   Local<Object> result;
 
-  X509Pointer cert(SSL_get_certificate(w->ssl_.get()));
+  X509* cert = SSL_get_certificate(w->ssl_.get());
 
-  if (cert)
-    result = X509ToObject(env, cert.get());
+  if (cert != nullptr)
+    result = X509ToObject(env, cert);
 
   args.GetReturnValue().Set(result);
 }
diff --git a/test/parallel/test-tls-pfx-authorizationerror.js b/test/parallel/test-tls-pfx-authorizationerror.js
index 6daf89dff0d82f..5105a60dacd6de 100644
--- a/test/parallel/test-tls-pfx-authorizationerror.js
+++ b/test/parallel/test-tls-pfx-authorizationerror.js
@@ -37,8 +37,13 @@ const server = tls
         rejectUnauthorized: false
       },
       function() {
-        assert.strictEqual(client.getCertificate().serialNumber,
-                           'ECC9B856270DA9A8');
+        for (let i = 0; i < 10; ++i) {
+          // Calling this repeatedly is a regression test that verifies
+          // that .getCertificate() does not accidentally decrease the
+          // reference count of the X509* certificate on the native side.
+          assert.strictEqual(client.getCertificate().serialNumber,
+                             'ECC9B856270DA9A8');
+        }
         client.end();
         server.close();
       }