diff --git a/base/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java b/base/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java
index d6056267b..e0bd4ea50 100644
--- a/base/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java
+++ b/base/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java
@@ -1006,7 +1006,6 @@ private SSLException checkSSLAlerts() {
 
     private void updateHandshakeState() {
         debug("JSSEngine: updateHandshakeState()");
-
         // If we've previously seen an exception, we should just return
         // here; there's already an alert on the wire, so there's no point
         // in checking for new ones and/or stepping the handshake: it has
@@ -1054,6 +1053,14 @@ private void updateHandshakeState() {
         if (SSL.ForceHandshake(ssl_fd) == SSL.SECFailure) {
             int error_value = PR.GetError();
 
+            try {
+                PK11Cert[] peer_chain = SSL.PeerCertificateChain(ssl_fd);
+                session.setPeerCertificates(peer_chain);
+            } catch (Exception e) {
+                // If certificate is not available, then the handshake error is before
+                // peerCertificate was retrieved. The following message is enough to report
+            }
+
             if (error_value != PRErrors.WOULD_BLOCK_ERROR) {
                 debug("JSSEngine.updateHandshakeState() - FATAL " + getStatus());