diff --git a/src/apps/relay/netengine.c b/src/apps/relay/netengine.c
index fa2be3f..e118c27 100644
--- a/src/apps/relay/netengine.c
+++ b/src/apps/relay/netengine.c
@@ -304,25 +304,38 @@ typedef struct update_ssl_ctx_cb_args {
 	struct event *next;
 } update_ssl_ctx_cb_args_t;
 
+static void replace_one_ssl_ctx(SSL_CTX **to, SSL_CTX *from)
+{
+	if (*to)
+		SSL_CTX_free(*to);
+
+	SSL_CTX_up_ref(from);
+	*to = from;
+}
+
+/*
+ * Synchronise the ioa_engine's SSL certificates with the global ones
+ */
 static void update_ssl_ctx(evutil_socket_t sock, short events, update_ssl_ctx_cb_args_t *args)
 {
 	ioa_engine_handle e = args->engine;
 	turn_params_t *params = args->params;
 
+	/* No mutex with "e" as these are only used in the same event loop */
 	pthread_mutex_lock(&turn_params.tls_mutex);
-	e->tls_ctx_ssl23 = params->tls_ctx_ssl23;
-	e->tls_ctx_v1_0 = params->tls_ctx_v1_0;
+	replace_one_ssl_ctx(&e->tls_ctx_ssl23, params->tls_ctx_ssl23);
+	replace_one_ssl_ctx(&e->tls_ctx_v1_0, params->tls_ctx_v1_0);
 #if TLSv1_1_SUPPORTED
-	e->tls_ctx_v1_1 = params->tls_ctx_v1_1;
+	replace_one_ssl_ctx(&e->tls_ctx_v1_1, params->tls_ctx_v1_1);
 #if TLSv1_2_SUPPORTED
-	e->tls_ctx_v1_2 = params->tls_ctx_v1_2;
+	replace_one_ssl_ctx(&e->tls_ctx_v1_2, params->tls_ctx_v1_2);
 #endif
 #endif
 #if DTLS_SUPPORTED
-	e->dtls_ctx = params->dtls_ctx;
+	replace_one_ssl_ctx(&e->dtls_ctx, params->dtls_ctx);
 #endif
 #if DTLSv1_2_SUPPORTED
-	e->dtls_ctx_v1_2 = params->dtls_ctx_v1_2;
+	replace_one_ssl_ctx(&e->dtls_ctx_v1_2, params->dtls_ctx_v1_2);
 #endif
 	struct event *next = args->next;
 	pthread_mutex_unlock(&turn_params.tls_mutex);