diff --git a/include/curl/curl.h b/include/curl/curl.h
index 2cad282..c2a1d87 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -1996,9 +1996,10 @@ typedef enum {
   CURLINFO_PRIMARY_PORT     = CURLINFO_LONG   + 40,
   CURLINFO_LOCAL_IP         = CURLINFO_STRING + 41,
   CURLINFO_LOCAL_PORT       = CURLINFO_LONG   + 42,
+  CURLINFO_SSL_TRUST        = CURLINFO_LONG   + 43,
   /* Fill in new entries below here! */
 
-  CURLINFO_LASTONE          = 42
+  CURLINFO_LASTONE          = 43
 } CURLINFO;
 
 /* CURLINFO_RESPONSE_CODE is the new name for the option previously known as
diff --git a/lib/curl_darwinssl.c b/lib/curl_darwinssl.c
index b998914..bd049fa 100644
--- a/lib/curl_darwinssl.c
+++ b/lib/curl_darwinssl.c
@@ -277,6 +277,10 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex)
               || ssl_connect_2_writing == connssl->connecting_state
               || ssl_connect_2_wouldblock == connssl->connecting_state);
 
+  if(data->info.trust)
+    CFRelease(data->info.trust);
+  data->info.trust = NULL;
+
   /* Here goes nothing: */
   err = SSLHandshake(connssl->ssl_ctx);
 
@@ -295,6 +299,7 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex)
       case errSSLUnknownRootCert:
       case errSSLNoRootCert:
       case errSSLCertExpired:
+        (void)SSLCopyPeerTrust(connssl->ssl_ctx, &(data->info.trust));
         failf(data, "SSL certificate problem: OSStatus %d", err);
         return CURLE_SSL_CACERT;
         break;
@@ -309,6 +314,7 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex)
   else {
     /* we have been connected fine, we're not waiting for anything else. */
     connssl->connecting_state = ssl_connect_3;
+    (void)SSLCopyPeerTrust(connssl->ssl_ctx, &(data->info.trust));
 
     /* Informational message */
     (void)SSLGetNegotiatedCipher(connssl->ssl_ctx, &cipher);
diff --git a/lib/getinfo.c b/lib/getinfo.c
index cd6feee..2ba5481 100644
--- a/lib/getinfo.c
+++ b/lib/getinfo.c
@@ -279,6 +279,11 @@ CURLcode Curl_getinfo(struct SessionHandle *data, CURLINFO info, ...)
   case CURLINFO_RTSP_CSEQ_RECV:
     *param_longp = data->state.rtsp_CSeq_recv;
     break;
+  case CURLINFO_SSL_TRUST:
+#ifdef USE_DARWINSSL
+    *param_longp = (long)data->info.trust;
+#endif
+    break;
 
   default:
     return CURLE_BAD_FUNCTION_ARGUMENT;
diff --git a/lib/sslgen.c b/lib/sslgen.c
index 0f8de45..77e2052 100644
--- a/lib/sslgen.c
+++ b/lib/sslgen.c
@@ -553,6 +553,11 @@ void Curl_ssl_free_certinfo(struct SessionHandle *data)
     ci->certinfo = NULL;
     ci->num_of_certs = 0;
   }
+#ifdef USE_DARWINSSL
+  if(data->info.trust)
+    CFRelease(data->info.trust);
+  data->info.trust = NULL;
+#endif
 }
 
 #ifndef USE_WINDOWS_SSPI
diff --git a/lib/urldata.h b/lib/urldata.h
index 5ad07c5..264f320 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -1055,6 +1055,9 @@ struct PureInfo {
   struct curl_certinfo certs; /* info about the certs, only populated in
                                  OpenSSL builds. Asked for with
                                  CURLOPT_CERTINFO / CURLINFO_CERTINFO */
+#ifdef USE_DARWINSSL
+  SecTrustRef trust;
+#endif
 };