diff --git a/include/haproxy/ssl_ckch-t.h b/include/haproxy/ssl_ckch-t.h
index f5fd48f02..2ea1ba2bf 100644
--- a/include/haproxy/ssl_ckch-t.h
+++ b/include/haproxy/ssl_ckch-t.h
@@ -95,5 +95,16 @@ struct ckch_inst {
 	struct list by_crtlist_entry; /* chained in crtlist_entry list of inst */
 };
 
+
+/*
+ * deduplicate cafile (and crlfile)
+ */
+struct cafile_entry {
+	X509_STORE *ca_store;
+	STACK_OF(X509_NAME) *ca_list;
+	struct ebmb_node node;
+	char path[0];
+};
+
 #endif /* USE_OPENSSL */
 #endif /* _HAPROXY_SSL_CKCH_T_H */
diff --git a/include/haproxy/ssl_ckch.h b/include/haproxy/ssl_ckch.h
index 7d1b8ef2c..31cf3b5cd 100644
--- a/include/haproxy/ssl_ckch.h
+++ b/include/haproxy/ssl_ckch.h
@@ -54,5 +54,9 @@ int ckch_inst_new_load_srv_store(const char *path, struct ckch_store *ckchs,
 
 void ckch_deinit();
 
+/* ssl_store functions */
+X509_STORE* ssl_store_get0_locations_file(char *path);
+int ssl_store_load_locations_file(char *path, int create_if_none);
+
 #endif /* USE_OPENSSL */
 #endif /* _HAPROXY_SSL_CRTLIST_H */
diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h
index c68425a29..a96a67b54 100644
--- a/include/haproxy/ssl_sock.h
+++ b/include/haproxy/ssl_sock.h
@@ -36,6 +36,7 @@ extern int sslconns;
 extern int totalsslconns;
 extern struct eb_root ckchs_tree;
 extern struct eb_root crtlists_tree;
+extern struct eb_root cafile_tree;
 extern int sctl_ex_index;
 extern struct global_ssl global_ssl;
 extern struct ssl_bind_kw ssl_bind_kws[];
@@ -120,7 +121,6 @@ int ssl_sock_load_srv_cert(char *path, struct server *server, char **err);
 void ssl_free_global_issuers(void);
 int ssl_sock_load_cert_list_file(char *file, int dir, struct bind_conf *bind_conf, struct proxy *curproxy, char **err);
 int ssl_init_single_engine(const char *engine_id, const char *def_algorithms);
-int ssl_store_load_locations_file(char *path, int create_if_none);
 
 /* ssl shctx macro */
 
diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index bf7bfc698..9242360a9 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -38,6 +38,7 @@
 #include <haproxy/openssl-compat.h>
 #include <haproxy/ssl_sock.h>
 #include <haproxy/tools.h>
+#include <haproxy/ssl_ckch.h>
 
 
 /****************** Global Section Parsing ********************************************/
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 6931d196d..41bc7e1c8 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -921,6 +921,51 @@ struct ckch_inst *ckch_inst_new()
 	return ckch_inst;
 }
 
+
+/********************  ssl_store functions ******************************/
+struct eb_root cafile_tree = EB_ROOT_UNIQUE;
+
+X509_STORE* ssl_store_get0_locations_file(char *path)
+{
+	struct ebmb_node *eb;
+
+	eb = ebst_lookup(&cafile_tree, path);
+	if (eb) {
+		struct cafile_entry *ca_e;
+		ca_e = ebmb_entry(eb, struct cafile_entry, node);
+		return ca_e->ca_store;
+	}
+	return NULL;
+}
+
+int ssl_store_load_locations_file(char *path, int create_if_none)
+{
+	X509_STORE *store = ssl_store_get0_locations_file(path);
+
+	/* If this function is called by the CLI, we should not call the
+	 * X509_STORE_load_locations function because it performs forbidden disk
+	 * accesses. */
+	if (!store && create_if_none) {
+		struct cafile_entry *ca_e;
+		store = X509_STORE_new();
+		if (X509_STORE_load_locations(store, path, NULL)) {
+			int pathlen;
+			pathlen = strlen(path);
+			ca_e = calloc(1, sizeof(*ca_e) + pathlen + 1);
+			if (ca_e) {
+				memcpy(ca_e->path, path, pathlen + 1);
+				ca_e->ca_store = store;
+				ebst_insert(&cafile_tree, &ca_e->node);
+			}
+		} else {
+			X509_STORE_free(store);
+			store = NULL;
+		}
+	}
+	return (store != NULL);
+}
+
+
 /*************************** CLI commands ***********************/
 
 /* Type of SSL payloads that can be updated over the CLI */
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 58f041388..0fc3388df 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -315,57 +315,6 @@ static int ssl_locking_init(void)
 __decl_thread(HA_SPINLOCK_T ckch_lock);
 
 
-/*
- * deduplicate cafile (and crlfile)
- */
-struct cafile_entry {
-	X509_STORE *ca_store;
-	STACK_OF(X509_NAME) *ca_list;
-	struct ebmb_node node;
-	char path[0];
-};
-
-static struct eb_root cafile_tree = EB_ROOT_UNIQUE;
-
-static X509_STORE* ssl_store_get0_locations_file(char *path)
-{
-	struct ebmb_node *eb;
-
-	eb = ebst_lookup(&cafile_tree, path);
-	if (eb) {
-		struct cafile_entry *ca_e;
-		ca_e = ebmb_entry(eb, struct cafile_entry, node);
-		return ca_e->ca_store;
-	}
-	return NULL;
-}
-
-int ssl_store_load_locations_file(char *path, int create_if_none)
-{
-	X509_STORE *store = ssl_store_get0_locations_file(path);
-
-	/* If this function is called by the CLI, we should not call the
-	 * X509_STORE_load_locations function because it performs forbidden disk
-	 * accesses. */
-	if (!store && create_if_none) {
-		struct cafile_entry *ca_e;
-		store = X509_STORE_new();
-		if (X509_STORE_load_locations(store, path, NULL)) {
-			int pathlen;
-			pathlen = strlen(path);
-			ca_e = calloc(1, sizeof(*ca_e) + pathlen + 1);
-			if (ca_e) {
-				memcpy(ca_e->path, path, pathlen + 1);
-				ca_e->ca_store = store;
-				ebst_insert(&cafile_tree, &ca_e->node);
-			}
-		} else {
-			X509_STORE_free(store);
-			store = NULL;
-		}
-	}
-	return (store != NULL);
-}
 
 /* mimic what X509_STORE_load_locations do with store_ctx */
 static int ssl_set_cert_crl_file(X509_STORE *store_ctx, char *path)