diff --git a/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java b/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java
index ee972d790..b117fa93c 100644
--- a/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java
+++ b/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java
@@ -1008,7 +1008,6 @@ private SSLException checkSSLAlerts() {
 
     private void updateHandshakeState() {
         debug("JSSEngine: updateHandshakeState()");
-
         // If we've previously seen an exception, we should just return
         // here; there's already an alert on the wire, so there's no point
         // in checking for new ones and/or stepping the handshake: it has
@@ -1056,6 +1055,14 @@ private void updateHandshakeState() {
         if (SSL.ForceHandshake(ssl_fd) == SSL.SECFailure) {
             int error_value = PR.GetError();
 
+            try {
+                PK11Cert[] peer_chain = SSL.PeerCertificateChain(ssl_fd);
+                session.setPeerCertificates(peer_chain);
+            } catch (Exception e) {
+                // If certificate is not available, then the handshake error is before
+                // peerCertificate was retrieved. The following message is enough to report
+            }
+
             if (error_value != PRErrors.WOULD_BLOCK_ERROR) {
                 debug("JSSEngine.updateHandshakeState() - FATAL " + getStatus());