diff --git a/.github/workflows/build-linux.yml b/.github/workflows/build-linux.yml
index 74a01d86..5e699c42 100644
--- a/.github/workflows/build-linux.yml
+++ b/.github/workflows/build-linux.yml
@@ -15,7 +15,7 @@ jobs:
       - name: dependencies
         run: |
           sudo apt update
-          sudo apt install autotools-dev autoconf automake libtool libssl-dev libnss3-dev libgnutls30
+          sudo apt install autotools-dev autoconf automake libtool libssl-dev libnss3-dev libmbedtls-dev libgnutls28-dev
       - name: gen
         run: |
           autoreconf -ivf
diff --git a/ChangeLog b/ChangeLog
index bf846ce6..c97f083d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,7 @@ Copyright (c) 2005-2022 Alon Bar-Lev <alon.barlev@gmail.com>
 
 ????-??-?? - Version 1.31.0
 * threading: fix mutex handling for cond_wait, thanks to Gleb Popov.
+* mbed: initialize certificate early using mbedtls_x509_crt_init.
 
 2023-12-01 - Version 1.30.0
 * core: add dynamic loader provider attribute, thanks to Marc Becker.
diff --git a/lib/_pkcs11h-crypto-mbedtls.c b/lib/_pkcs11h-crypto-mbedtls.c
index 05bcb6f9..9904d3eb 100644
--- a/lib/_pkcs11h-crypto-mbedtls.c
+++ b/lib/_pkcs11h-crypto-mbedtls.c
@@ -87,13 +87,14 @@ __pkcs11h_crypto_mbedtls_certificate_get_expiration (
 
 	(void)global_data;
 
+	mbedtls_x509_crt_init(&x509);
+
 	/*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/
 	_PKCS11H_ASSERT (blob!=NULL);
 	_PKCS11H_ASSERT (expiration!=NULL);
 
 	*expiration = (time_t)0;
 
-	memset(&x509, 0, sizeof(x509));
 	if (0 != mbedtls_x509_crt_parse (&x509, blob, blob_size)) {
 		goto cleanup;
 	}
@@ -134,6 +135,8 @@ __pkcs11h_crypto_mbedtls_certificate_get_dn (
 
 	(void)global_data;
 
+	mbedtls_x509_crt_init(&x509);
+
 	/*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/
 	_PKCS11H_ASSERT (blob!=NULL);
 	_PKCS11H_ASSERT (dn!=NULL);
@@ -141,7 +144,6 @@ __pkcs11h_crypto_mbedtls_certificate_get_dn (
 
 	dn[0] = '\x0';
 
-	memset(&x509, 0, sizeof(x509));
 	if (0 != mbedtls_x509_crt_parse (&x509, blob, blob_size)) {
 		goto cleanup;
 	}
@@ -176,16 +178,17 @@ __pkcs11h_crypto_mbedtls_certificate_is_issuer (
 
 	(void)global_data;
 
+	mbedtls_x509_crt_init(&x509_issuer);
+	mbedtls_x509_crt_init(&x509_cert);
+
 	/*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/
 	_PKCS11H_ASSERT (issuer_blob!=NULL);
 	_PKCS11H_ASSERT (cert_blob!=NULL);
 
-	memset(&x509_issuer, 0, sizeof(x509_issuer));
 	if (0 != mbedtls_x509_crt_parse (&x509_issuer, issuer_blob, issuer_blob_size)) {
 		goto cleanup;
 	}
 
-	memset(&x509_cert, 0, sizeof(x509_cert));
 	if (0 != mbedtls_x509_crt_parse (&x509_cert, cert_blob, cert_blob_size)) {
 		goto cleanup;
 	}