diff --git a/include/opendht/crypto.h b/include/opendht/crypto.h
index 1466a4d7d71290ae512cfd26f6b414ba97a8d3bd..8f0c574a85a4495bb8c8f4cc44b9ef5a6552a043 100644
--- a/include/opendht/crypto.h
+++ b/include/opendht/crypto.h
@@ -107,7 +107,7 @@ struct PrivateKey
     /**
      * Generate a new RSA key pair
      * @param key_length : size of the modulus in bits
-     *      Recommended values: 2048, 4096, 8192
+     *      Recommended values: 4096, 8192
      */
     static PrivateKey generate(unsigned key_length = 4096);
 
@@ -139,6 +139,11 @@ struct Certificate : public Serializable {
 
     std::string getUID() const;
 
+    /**
+     * PEM encoded certificate
+     */
+    std::string toString() const;
+
     gnutls_x509_crt_t cert {};
 private:
     Certificate(const Certificate&) = delete;
diff --git a/src/crypto.cpp b/src/crypto.cpp
index 99f5bb3fa4193646c2cf530db3008eeae180db12..7320c512e1bd87573eded96303ba16b66e715494 100644
--- a/src/crypto.cpp
+++ b/src/crypto.cpp
@@ -416,6 +416,20 @@ Certificate::getUID() const
     return uid;
 }
 
+std::string
+Certificate::toString() const
+{
+    std::string str;
+    size_t buf_sz = 8192;
+    str.resize(buf_sz);
+    int err = gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, &(*str.begin()), &buf_sz);
+    if (err != GNUTLS_E_SUCCESS) {
+        std::cerr << "Could not export certificate - " << gnutls_strerror(err) << std::endl;
+    }
+    str.resize(buf_sz);
+    return str;
+}
+
 PrivateKey
 PrivateKey::generate(unsigned key_length)
 {