diff --git a/ocaml/xapi/helpers.ml b/ocaml/xapi/helpers.ml
index 6a0b2cb826f..bed75da7b0a 100644
--- a/ocaml/xapi/helpers.ml
+++ b/ocaml/xapi/helpers.ml
@@ -2039,6 +2039,31 @@ let update_ca_bundle =
           )
     )
 
+let external_certificate_thumbprint_of_master ?(hash_type = `Sha256) () =
+  match hash_type with
+  | `Sha256 ->
+      Server_helpers.exec_with_new_task
+        "Get master's external certificate thumbprint" (fun __context ->
+          let master_ref = get_master ~__context in
+          let certs =
+            Db.Certificate.get_records_where ~__context
+              ~expr:
+                (And
+                   ( Eq (Field "host", Literal (Ref.string_of master_ref))
+                   , Eq (Field "type", Literal "host")
+                   )
+                )
+          in
+          match certs with
+          | [] ->
+              debug "Failed to fetch master's external certificate" ;
+              None
+          | (_, cert_record) :: _ ->
+              Some cert_record.certificate_fingerprint
+      )
+  | _ ->
+      None
+
 let unit_test ~__context : bool =
   Pool_role.is_unit_test ()
   ||