diff --git a/src/decoder.c b/src/decoder.c
index a175ad67..754b0c92 100644
--- a/src/decoder.c
+++ b/src/decoder.c
@@ -82,28 +82,13 @@ static int filter_for_desired_data_type(const OSSL_PARAM params[], void *arg)
     return RET_OSSL_CARRY_ON_DECODING;
 }
 
-static int p11prov_der_decoder_p11prov_obj_decode(
-    const char *desired_data_type, void *inctx, OSSL_CORE_BIO *cin,
-    int selection, OSSL_CALLBACK *object_cb, void *object_cbarg,
-    OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
+static int load_obj(const P11PROV_DECODER_CTX *ctx, const unsigned char *der,
+                    long der_len, struct desired_data_type_cbdata *cbdata,
+                    OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
 {
     P11PROV_PK11_URI *obj = NULL;
-    BIO *bin;
     char *uri = NULL;
-    P11PROV_DECODER_CTX *ctx = inctx;
 
-    bin = BIO_new_from_core_bio(p11prov_ctx_get_libctx(ctx->provctx), cin);
-    if (!bin) {
-        P11PROV_debug("P11 DECODER BIO_new_from_core_bio failed");
-        goto done;
-    }
-
-    const unsigned char *der;
-    long der_len = BIO_get_mem_data(bin, &der);
-    if (der_len <= 0) {
-        P11PROV_debug("P11 DECODER BIO_get_mem_data failed");
-        goto done;
-    }
     obj = d2i_P11PROV_PK11_URI(NULL, &der, der_len);
     if (!obj) {
         P11PROV_debug("P11 KEY DECODER d2i_P11PROV_PK11_URI failed");
@@ -119,18 +104,49 @@ static int p11prov_der_decoder_p11prov_obj_decode(
         goto done;
     }
 
+    p11prov_store_direct_fetch(ctx->provctx, uri, filter_for_desired_data_type,
+                               cbdata, pw_cb, pw_cbarg);
+done:
+    OPENSSL_free(uri);
+    P11PROV_PK11_URI_free(obj);
+    return RET_OSSL_CARRY_ON_DECODING;
+}
+
+static int p11prov_der_decoder_p11prov_obj_decode(
+    const char *desired_data_type, void *inctx, OSSL_CORE_BIO *cin,
+    int selection, OSSL_CALLBACK *object_cb, void *object_cbarg,
+    OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
+{
+    const P11PROV_DECODER_CTX *ctx = inctx;
+    BIO *bin;
+    unsigned char *der = NULL;
+    long der_len;
+    int ret = RET_OSSL_CARRY_ON_DECODING;
+
+    bin = BIO_new_from_core_bio(p11prov_ctx_get_libctx(ctx->provctx), cin);
+    if (!bin) {
+        P11PROV_debug("P11 DECODER BIO_new_from_core_bio failed");
+        goto done;
+    }
+
+    der_len = BIO_get_mem_data(bin, &der);
+    if (der_len <= 0) {
+        P11PROV_debug("P11 DECODER BIO_get_mem_data failed");
+        goto done;
+    }
+
     struct desired_data_type_cbdata cbdata = {
         .desired_data_type = desired_data_type,
         .cb = object_cb,
         .cbarg = object_cbarg,
     };
 
-    p11prov_store_direct_fetch(ctx->provctx, uri, filter_for_desired_data_type,
-                               &cbdata, pw_cb, pw_cbarg);
+    ret = load_obj(ctx, der, der_len, &cbdata, pw_cb, pw_cbarg);
+
 done:
-    OPENSSL_free(uri);
-    P11PROV_PK11_URI_free(obj);
-    return RET_OSSL_CARRY_ON_DECODING;
+    BIO_free(bin);
+    P11PROV_debug("der decoder (carry on:%d)", ret);
+    return ret;
 }
 
 static int p11prov_der_decoder_p11prov_rsa_decode(
@@ -189,6 +205,16 @@ static int p11prov_pem_decoder_p11prov_der_decode(
 
     if (PEM_read_bio(bin, &pem_label, &pem_header, &der_data, &der_len) > 0
         && strcmp(pem_label, P11PROV_PEM_LABEL) == 0) {
+
+        /* special case certificates */
+        struct desired_data_type_cbdata cbdata = {
+            .desired_data_type = P11PROV_NAME_CERTIFICATE,
+            .cb = object_cb,
+            .cbarg = object_cbarg,
+        };
+        load_obj(ctx, der_data, der_len, &cbdata, pw_cb, pw_cbarg);
+        /* */
+
         params[0] = OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_DATA,
                                                       der_data, der_len);
         params[1] = OSSL_PARAM_construct_utf8_string(
diff --git a/src/provider.h b/src/provider.h
index 8294c119..5fdf4a0e 100644
--- a/src/provider.h
+++ b/src/provider.h
@@ -59,6 +59,7 @@
 #define P11PROV_DESCS_RAND "PKCS11 Random Generator"
 #define P11PROV_NAMES_RSAKEY "RSA"
 #define P11PROV_DESCS_RSAKEY "PKCS11 RSA Key"
+#define P11PROV_NAME_CERTIFICATE "CERTIFICATE"
 
 #define P11PROV_PARAM_URI "pkcs11_uri"
 #define P11PROV_PARAM_KEY_USAGE "pkcs11_key_usage"
diff --git a/src/store.c b/src/store.c
index d05be1b3..3d9d9bc7 100644
--- a/src/store.c
+++ b/src/store.c
@@ -384,7 +384,7 @@ static int p11prov_store_load(void *pctx, OSSL_CALLBACK *object_cb,
         break;
     case CKO_CERTIFICATE:
         object_type = OSSL_OBJECT_CERT;
-        data_type = (char *)"CERTIFICATE";
+        data_type = (char *)P11PROV_NAME_CERTIFICATE;
         cert = p11prov_obj_get_attr(obj, CKA_VALUE);
         if (cert == NULL) {
             return RET_OSSL_ERR;
diff --git a/tests/tpem_encoder b/tests/tpem_encoder
index 09eea2da..988e113a 100755
--- a/tests/tpem_encoder
+++ b/tests/tpem_encoder
@@ -146,4 +146,17 @@ if [[ ! ${DATA} =~ "Total found: 1" ]]; then
     exit 1
 fi
 
+
+title PARA "Test certificate is usable"
+make-uri-pem "${ECCRTURI}" "${TMPPDIR}/eccrturi-cert.pem"
+ossl '
+storeutl
+        -out "${TMPPDIR}/storeutl-eccrturi-cert.txt"
+        "${TMPPDIR}/eccrturi-cert.pem"'
+DATA=$(cat "${TMPPDIR}/storeutl-eccrturi-cert.txt")
+if [[ ! ${DATA} =~ "Total found: 1" ]]; then
+    echo "Should return certificate"
+    exit 1
+fi
+
 exit 0