diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index 121847faa..cf7beb3da 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -3348,6 +3348,40 @@ _hx509_cert_to_env(hx509_context context, hx509_cert cert, hx509_env *env)
 	}
     }
 
+    {
+	hx509_env envhash = NULL;
+        heim_octet_string os, sig;
+	char *buf;
+	Certificate *c = _hx509_get_cert(cert);
+
+	os.data = c->tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.data;
+	os.length =
+	  c->tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.length / 8;
+
+	ret = _hx509_create_signature(context,
+				      NULL,
+				      hx509_signature_sha1(),
+				      &os,
+				      NULL,
+				      &sig);
+	if (ret != 0)
+	    goto out;
+
+	hex_encode(sig.data, sig.length, &buf);
+	der_free_octet_string(&sig);
+	
+	ret = hx509_env_add(context, &envhash, "sha1", buf);
+	free(buf);
+	if (ret) 
+	    goto out;
+
+	ret = hx509_env_add_binding(context, &envcert, "hash", envhash);
+	if (ret) {
+	  hx509_env_free(&envhash);
+	  goto out;
+	}
+    }
+
     ret = hx509_env_add_binding(context, env, "certificate", envcert);
     if (ret)
 	goto out;
diff --git a/lib/hx509/test_query.in b/lib/hx509/test_query.in
index f67bb2165..d29d78a23 100644
--- a/lib/hx509/test_query.in
+++ b/lib/hx509/test_query.in
@@ -194,4 +194,10 @@ ${hxtool} query \
 	--expr='"1.3.6.1.5.2.3.5" IN %{certificate.eku} AND %{certificate.subject} TAILMATCH "C=SE"'  \
 	FILE:$srcdir/data/kdc.crt > /dev/null || exit 1
 
+echo "make sure entry match with hash.sha1"
+${hxtool} query \
+	--expr='"%{certificate.hash.sha1}EQ "412120212A2CBFD777DE5499ECB4724345F33F16"' \
+	FILE:$srcdir/data/kdc.crt > /dev/null || exit 1
+
+
 exit 0