diff --git a/scripts/policy/protocols/ssl/cert-hash.bro b/scripts/policy/protocols/ssl/cert-hash.bro
index 0d0397e9c7..80a937f670 100644
--- a/scripts/policy/protocols/ssl/cert-hash.bro
+++ b/scripts/policy/protocols/ssl/cert-hash.bro
@@ -10,11 +10,11 @@ export {
 	};
 }
 
-event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=10
+event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=4
 	{
 	# We aren't tracking client certificates yet and we are also only tracking
-	# the primary cert.
-	if ( ! is_server || chain_idx != 0 ) 
+	# the primary cert.  Watch that this came from an SSL analyzed session too.
+	if ( ! is_server || chain_idx != 0 || ! c?$ssl ) 
 		return;
 
 	c$ssl$cert_hash = md5_hash(der_cert);