diff --git a/lib/web/Get-IcingaSSLCertForSocket.psm1 b/lib/web/Get-IcingaSSLCertForSocket.psm1
new file mode 100644
index 0000000..5626928
--- /dev/null
+++ b/lib/web/Get-IcingaSSLCertForSocket.psm1
@@ -0,0 +1,47 @@
+function Get-IcingaSSLCertForSocket()
+{
+    param(
+        [string]$CertFile       = $null,
+        [string]$CertThumbprint = $null
+    );
+
+    # At first check if we assigned a cert file to use directly and check
+    # if it is there and either import a PFX or use our convert function
+    # to get a proper certificate
+    if ([string]::IsNullOrEmpty($CertFile) -eq $FALSE) {
+        if ((Test-Path $CertFile)) {
+            $FileType = Get-Item -Path $CertFile;
+            if ($FileType -eq '.pfx') {
+                return (New-Object Security.Cryptography.X509Certificates.X509Certificate2 $CertFile);
+            } else {
+                return ConvertTo-IcingaX509Certificate -CertFile $CertFile;
+            }
+        }
+    }
+
+    # We could also have assigned a Thumbprint to use from the
+    # Windows cert store. Try to look it up an return it if
+    # it is found
+    if ([string]::IsNullOrEmpty($CertThumbprint) -eq $FALSE) {
+        $Certificates = Get-ChildItem -Path 'cert:\*' -Recurse `
+                                      -Include $CertThumbprint `
+                                      -ErrorAction SilentlyContinue `
+                                      -WarningAction SilentlyContinue;
+
+        if ($Certificates.Count -ne 0) {
+            return $Certificates[0];
+        }
+    }
+
+    # If no cert file or thumbprint was specified or simpy as fallback,
+    # we should use the Icinga 2 Agent certificates
+    $AgentCertificate = Get-IcingaAgentHostCertificate;
+
+    # If Agent is not installed or certificates were not found,
+    # simply return null
+    if ($null -eq $AgentCertificate) {
+        return $null;
+    }
+
+    return (ConvertTo-IcingaX509Certificate -CertFile $AgentCertificate.CertFile);
+}