diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index 5b90da052..a33685c43 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -93,6 +93,14 @@ typedef struct hx509_name_constraints {
 #define GeneralSubtrees_SET(g,var) \
 	(g)->len = (var)->len, (g)->val = (var)->val;
 
+static void
+init_context_once(void *ignored)
+{
+
+    ENGINE_add_conf_module();
+    OpenSSL_add_all_algorithms();
+}
+
 /**
  * Creates a hx509 context that most functions in the library
  * uses. The context is only allowed to be used by one thread at each
@@ -108,10 +116,14 @@ typedef struct hx509_name_constraints {
 int
 hx509_context_init(hx509_context *context)
 {
+    static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT;
+
     *context = calloc(1, sizeof(**context));
     if (*context == NULL)
 	return ENOMEM;
 
+    heim_base_once_f(&init_context, NULL, init_context_once);
+
     _hx509_ks_null_register(*context);
     _hx509_ks_mem_register(*context);
     _hx509_ks_file_register(*context);
@@ -120,9 +132,6 @@ hx509_context_init(hx509_context *context)
     _hx509_ks_dir_register(*context);
     _hx509_ks_keychain_register(*context);
 
-    ENGINE_add_conf_module();
-    OpenSSL_add_all_algorithms();
-
     (*context)->ocsp_time_diff = HX509_DEFAULT_OCSP_TIME_DIFF;
 
     initialize_hx_error_table_r(&(*context)->et_list);