diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java b/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java
index 32bb3adc2408..a66bc23e46ba 100644
--- a/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java
+++ b/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java
@@ -53,6 +53,7 @@ public class SecureRequestCustomizer implements HttpConfiguration.Customizer
     public static final String JAVAX_SERVLET_REQUEST_CIPHER_SUITE = "javax.servlet.request.cipher_suite";
     public static final String JAVAX_SERVLET_REQUEST_KEY_SIZE = "javax.servlet.request.key_size";
     public static final String JAVAX_SERVLET_REQUEST_SSL_SESSION_ID = "javax.servlet.request.ssl_session_id";
+    public static final String X509_CERT = "org.eclipse.jetty.server.x509_cert";
 
     private String sslSessionAttribute = "org.eclipse.jetty.servlet.request.ssl_session";
 
@@ -245,26 +246,24 @@ protected void customize(SSLEngine sslEngine, Request request)
         if (isSniRequired() || isSniHostCheck())
         {
             String sniHost = (String)sslSession.getValue(SslContextFactory.Server.SNI_HOST);
-            Certificate[] certificates = sslSession.getLocalCertificates();
-            X509 cert = (certificates != null && certificates.length > 0 && certificates[0] instanceof X509Certificate)
-                ? new X509(null, (X509Certificate)certificates[0]) : null;
-            String serverName = request.getServerName();
-            if (LOG.isDebugEnabled())
-                LOG.debug("Host={}, SNI={}, SNI Certificate={}", serverName, sniHost, cert);
-
-            if (isSniRequired())
+            X509 x509 = (X509)sslSession.getValue(X509_CERT);
+            if (x509 == null)
             {
-                if (sniHost == null)
-                    throw new BadMessageException(400, "Invalid SNI");
-                if (cert == null || !cert.matches(sniHost))
+                Certificate[] certificates = sslSession.getLocalCertificates();
+                if (certificates == null || certificates.length == 0 || !(certificates[0] instanceof X509Certificate))
                     throw new BadMessageException(400, "Invalid SNI");
+                x509 = new X509(null, (X509Certificate)certificates[0]);
+                sslSession.putValue(X509_CERT, x509);
             }
+            String serverName = request.getServerName();
+            if (LOG.isDebugEnabled())
+                LOG.debug("Host={}, SNI={}, SNI Certificate={}", serverName, sniHost, x509);
 
-            if (isSniHostCheck())
-            {
-                if (cert == null || !cert.matches(serverName))
-                    throw new BadMessageException(400, "Invalid SNI");
-            }
+            if (isSniRequired() && (sniHost == null || !x509.matches(sniHost)))
+                throw new BadMessageException(400, "Invalid SNI");
+
+            if (isSniHostCheck() && !x509.matches(serverName))
+                throw new BadMessageException(400, "Invalid SNI");
         }
 
         request.setAttributes(new SslAttributes(request, sslSession));