diff --git a/src/util/cert/libcrypto/cert.c b/src/util/cert/libcrypto/cert.c
index 24de7a79833..8cf73892b81 100644
--- a/src/util/cert/libcrypto/cert.c
+++ b/src/util/cert/libcrypto/cert.c
@@ -374,7 +374,7 @@ static errno_t ec_pub_key_to_ssh(TALLOC_CTX *mem_ctx, EVP_PKEY *cert_pub_key,
 #define SSH_RSA_HEADER_LEN (sizeof(SSH_RSA_HEADER) - 1)
 
 static int sss_rsa_get_key(EVP_PKEY *cert_pub_key,
-                           const BIGNUM **n, const BIGNUM **e)
+                           BIGNUM **n, BIGNUM **e)
 {
     int ret;
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
@@ -420,8 +420,8 @@ static errno_t rsa_pub_key_to_ssh(TALLOC_CTX *mem_ctx, EVP_PKEY *cert_pub_key,
     size_t c;
     size_t size;
     uint8_t *buf = NULL;
-    const BIGNUM *n = NULL;
-    const BIGNUM *e = NULL;
+    BIGNUM *n = NULL;
+    BIGNUM *e = NULL;
     int modulus_len;
     unsigned char modulus[OPENSSL_RSA_MAX_MODULUS_BITS/8];
     int exponent_len;
@@ -475,6 +475,10 @@ static errno_t rsa_pub_key_to_ssh(TALLOC_CTX *mem_ctx, EVP_PKEY *cert_pub_key,
     ret = EOK;
 
 done:
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+    BN_clear_free(n);
+    BN_clear_free(e);
+#endif
     if (ret != EOK)  {
         talloc_free(buf);
     }