diff --git a/library/x509_crt.c b/library/x509_crt.c
index cd7e3248a9df..b6a68bafb21e 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -2793,7 +2793,7 @@ static int x509_crt_verify_chain(
     uint32_t *flags;
     mbedtls_x509_crt_verify_chain_item *cur;
     mbedtls_x509_crt *child_crt;
-    mbedtls_x509_crt *parent;
+    mbedtls_x509_crt *parent_crt;
     int parent_is_trusted;
     int child_is_trusted;
     int signature_is_good;
@@ -2896,8 +2896,9 @@ static int x509_crt_verify_chain(
             }
 
             /* Look for a parent in trusted CAs or up the chain */
-            ret = x509_crt_find_parent( &child_sig, child_crt->next, trust_ca, &parent,
-                                        &parent_is_trusted, &signature_is_good,
+            ret = x509_crt_find_parent( &child_sig, child_crt->next, trust_ca,
+                                        &parent_crt, &parent_is_trusted,
+                                        &signature_is_good,
                                         ver_chain->len - 1, self_cnt, rs_ctx );
 
             x509_crt_free_sig_info( &child_sig );
@@ -2917,7 +2918,7 @@ static int x509_crt_verify_chain(
 #endif
 
         /* No parent? We're done here */
-        if( parent == NULL )
+        if( parent_crt == NULL )
         {
             *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
             return( 0 );
@@ -2942,22 +2943,31 @@ static int x509_crt_verify_chain(
         if( ! signature_is_good )
             *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
 
-        /* check size of signing key */
-        if( x509_profile_check_key( profile, &parent->pk ) != 0 )
-            *flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+        {
+            mbedtls_pk_context *parent_pk;
+            ret = x509_crt_pk_acquire( parent_crt, &parent_pk );
+            if( ret != 0 )
+                return( MBEDTLS_ERR_X509_FATAL_ERROR );
+
+            /* check size of signing key */
+            if( x509_profile_check_key( profile, parent_pk ) != 0 )
+                *flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+
+            x509_crt_pk_release( parent_crt, parent_pk );
+        }
 
 #if defined(MBEDTLS_X509_CRL_PARSE_C)
         /* Check trusted CA's CRL for the given crt */
         *flags |= x509_crt_verifycrl( child_serial.p,
                                       child_serial.len,
-                                      parent, ca_crl, profile );
+                                      parent_crt, ca_crl, profile );
 #else
         (void) ca_crl;
 #endif
 
         /* prepare for next iteration */
-        child_crt = parent;
-        parent = NULL;
+        child_crt = parent_crt;
+        parent_crt = NULL;
         child_is_trusted = parent_is_trusted;
         signature_is_good = 0;
     }