diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index 62b720a73..6a2885a0f 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -1345,6 +1345,11 @@ _hx509_query_match_cert(const hx509_query *q, hx509_cert cert)
 	if (strcasecmp(q->friendlyname, name) != 0)
 	    return 0;
     }
+    if (q->match & HX509_QUERY_MATCH_FUNCTION) {
+	int ret = (*q->cmp_func)(cert);
+	if (ret != 0)
+	    return 0;
+    }
 
     if (q->match & ~HX509_QUERY_MASK)
 	return 0;
diff --git a/lib/hx509/hx_locl.h b/lib/hx509/hx_locl.h
index 6d39311ae..722a5ba84 100644
--- a/lib/hx509/hx_locl.h
+++ b/lib/hx509/hx_locl.h
@@ -103,7 +103,8 @@ struct hx509_query_data {
 #define HX509_QUERY_MATCH_LOCAL_KEY_ID		0x10000
 #define HX509_QUERY_NO_MATCH_PATH		0x20000
 #define HX509_QUERY_MATCH_FRIENDLY_NAME		0x40000
-#define HX509_QUERY_MASK			0x7ffff
+#define HX509_QUERY_MATCH_FUNCTION		0x80000
+#define HX509_QUERY_MASK			0xfffff
     Certificate *subject;
     Certificate *certificate;
     heim_integer *serial;
@@ -113,6 +114,7 @@ struct hx509_query_data {
     Name *subject_name;
     hx509_path *path;
     char *friendlyname;
+    int (*cmp_func)(hx509_cert);
 };
 
 struct hx509_keyset_ops {