diff --git a/tls/src/main/java/org/bouncycastle/tls/TlsServerProtocol.java b/tls/src/main/java/org/bouncycastle/tls/TlsServerProtocol.java
index 3ace602565..37b0dad37d 100644
--- a/tls/src/main/java/org/bouncycastle/tls/TlsServerProtocol.java
+++ b/tls/src/main/java/org/bouncycastle/tls/TlsServerProtocol.java
@@ -1459,7 +1459,7 @@ protected void receive13ClientCertificate(ByteArrayInputStream buf)
             .setCertificateType(tlsServerContext.getSecurityParametersHandshake().getClientCertificateType())
             .setMaxChainLength(tlsServer.getMaxCertificateChainLength());
 
-        Certificate clientCertificate = Certificate.parse(options, tlsServerContext, buf, null);
+        Certificate clientCertificate = TlsUtils.parseCertificate(options, tlsServerContext, buf, null);
 
         assertEmpty(buf);
 
@@ -1499,7 +1499,7 @@ protected void receiveCertificateMessage(ByteArrayInputStream buf)
             .setCertificateType(tlsServerContext.getSecurityParametersHandshake().getClientCertificateType())
             .setMaxChainLength(tlsServer.getMaxCertificateChainLength());
 
-        Certificate clientCertificate = Certificate.parse(options, tlsServerContext, buf, null);
+        Certificate clientCertificate = TlsUtils.parseCertificate(options, tlsServerContext, buf, null);
 
         assertEmpty(buf);
 
diff --git a/tls/src/main/java/org/bouncycastle/tls/TlsUtils.java b/tls/src/main/java/org/bouncycastle/tls/TlsUtils.java
index 69b8930203..0803cea3e7 100644
--- a/tls/src/main/java/org/bouncycastle/tls/TlsUtils.java
+++ b/tls/src/main/java/org/bouncycastle/tls/TlsUtils.java
@@ -28,6 +28,7 @@
 import org.bouncycastle.asn1.rosstandart.RosstandartObjectIdentifiers;
 import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;
 import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
+import org.bouncycastle.tls.Certificate.ParseOptions;
 import org.bouncycastle.tls.crypto.Tls13Verifier;
 import org.bouncycastle.tls.crypto.TlsAgreement;
 import org.bouncycastle.tls.crypto.TlsCertificate;
@@ -5172,6 +5173,22 @@ private static boolean isSafeRenegotiationServerCertificate(TlsClientContext cli
         return false;
     }
 
+    static Certificate parseCertificate(ParseOptions options, TlsContext context, ByteArrayInputStream buf,
+            ByteArrayOutputStream endPointHashOutput) throws TlsFatalAlert {
+        try
+        {
+          return Certificate.parse(options, context, buf, endPointHashOutput); 
+        }
+        catch (TlsFatalAlert e)
+        {
+            throw e;
+        }
+        catch (IOException e)
+        {
+          throw new TlsFatalAlert(AlertDescription.bad_certificate, e);
+        }
+    }
+
     static TlsAuthentication receiveServerCertificate(TlsClientContext clientContext, TlsClient client,
         ByteArrayInputStream buf, Hashtable serverExtensions) throws IOException
     {
@@ -5188,7 +5205,7 @@ static TlsAuthentication receiveServerCertificate(TlsClientContext clientContext
             .setCertificateType(securityParameters.getServerCertificateType())            
             .setMaxChainLength(client.getMaxCertificateChainLength());
 
-        Certificate serverCertificate = Certificate.parse(options, clientContext, buf, endPointHash);
+        Certificate serverCertificate = parseCertificate(options, clientContext, buf, endPointHash);
 
         TlsProtocol.assertEmpty(buf);
 
@@ -5229,7 +5246,7 @@ static TlsAuthentication receive13ServerCertificate(TlsClientContext clientConte
             .setCertificateType(securityParameters.getServerCertificateType())            
             .setMaxChainLength(client.getMaxCertificateChainLength());
 
-        Certificate serverCertificate = Certificate.parse(options, clientContext, buf, null);
+        Certificate serverCertificate = parseCertificate(options, clientContext, buf, null);
 
         TlsProtocol.assertEmpty(buf);