diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp
index 7b8a6967f..72635f450 100644
--- a/lib/base/tlsutility.cpp
+++ b/lib/base/tlsutility.cpp
@@ -809,6 +809,23 @@ bool VerifyCertificate(const std::shared_ptr<X509>& caCertificate, const std::sh
 	return rc == 1;
 }
 
+bool IsCa(const std::shared_ptr<X509>& cacert)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	/* OpenSSL 1.1.x provides https://www.openssl.org/docs/man1.1.0/man3/X509_check_ca.html
+	 *
+	 * 0 if it is not CA certificate,
+	 * 1 if it is proper X509v3 CA certificate with basicConstraints extension CA:TRUE,
+	 * 3 if it is self-signed X509 v1 certificate
+	 * 4 if it is certificate with keyUsage extension with bit keyCertSign set, but without basicConstraints,
+	 * 5 if it has outdated Netscape Certificate Type extension telling that it is CA certificate.
+	 */
+	return (X509_check_ca(cacert.get()) == 1);
+#else /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
+	BOOST_THROW_EXCEPTION(std::invalid_argument("Not supported on this platform, OpenSSL version too old."));
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
+}
+
 std::string to_string(const errinfo_openssl_error& e)
 {
 	std::ostringstream tmp;
diff --git a/lib/base/tlsutility.hpp b/lib/base/tlsutility.hpp
index 0f120aaf9..715bfd426 100644
--- a/lib/base/tlsutility.hpp
+++ b/lib/base/tlsutility.hpp
@@ -47,6 +47,7 @@ String SHA256(const String& s);
 String RandomString(int length);
 
 bool VerifyCertificate(const std::shared_ptr<X509>& caCertificate, const std::shared_ptr<X509>& certificate);
+bool IsCa(const std::shared_ptr<X509>& cacert);
 
 class openssl_error : virtual public std::exception, virtual public boost::exception { };