diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro
index 8192fb9e42..8c108c8743 100644
--- a/scripts/base/files/x509/main.bro
+++ b/scripts/base/files/x509/main.bro
@@ -6,15 +6,12 @@ module X509;
 export {
 	redef enum Log::ID += { LOG };
 
-	## Set that keeps track of the certificates which were logged recently.
-	global cert_hashes: set[string] &create_expire=1hrs &synchronized &redef;
-
 	type Info: record {
 		## current timestamp
 		ts: time &log;
 
-		## SHA-1 hash of this certificate
-		sha1: string &log &optional;
+		## file id of this certificate
+		id: string &log;
     
 		## Basic information about the certificate
 		certificate: X509::Certificate &log;
@@ -48,20 +45,9 @@ redef record Files::Info += {
 	x509: X509::Info &optional;
 };
 
-# Either, this event arrives first - then info$x509 does not exist 
-# yet and this is a no-op, and the sha1 value is set in x509_certificate.
-# Or the x509_certificate event arrives first - then the hash is set here.
-event file_hash(f: fa_file, kind: string, hash: string)
-	{
-	if ( f$info?$x509 && kind == "sha1" )
-		f$info$x509$sha1 = hash;
-	}
-
 event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5
 	{
-	f$info$x509 = [$ts=f$info$ts, $certificate=cert, $handle=cert_ref];
-	if ( f$info?$sha1 )
-		f$info$x509$sha1 = f$info$sha1;
+	f$info$x509 = [$ts=f$info$ts, $id=f$id, $certificate=cert, $handle=cert_ref];
 	}
 
 event x509_extension(f: fa_file, ext: X509::Extension) &priority=5
@@ -87,17 +73,5 @@ event file_state_remove(f: fa_file) &priority=5
 	if ( ! f$info?$x509 )
 		return;
 
-	if ( ! f$info$x509?$sha1 )
-		{
-		Reporter::error(fmt("Certificate without a hash value. Logging skipped. File-id: %s", f$id));
-		return;
-		}
-
-	if ( f$info$x509$sha1 in cert_hashes )
-		# we already have seen & logged this certificate
-		return;
-
-	add cert_hashes[f$info$x509$sha1];
-
 	Log::write(LOG, f$info$x509);
 	}
diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro
index 18bf3c3236..4216f26fe3 100644
--- a/scripts/base/protocols/ssl/files.bro
+++ b/scripts/base/protocols/ssl/files.bro
@@ -11,17 +11,17 @@ export {
 		## complete signing chain.
 		cert_chain: vector of Files::Info &optional;
 
-		## An ordered vector of all certicate sha1 hashes for the
+		## An ordered vector of all certicate file unique IDs for the
 		## certificates offered by the server.
-		cert_chain_sha1s: vector of string &optional &log;
+		cert_chain_fuids: vector of string &optional &log;
 
 		## Chain of certificates offered by the client to validate its
 		## complete signing chain.
 		client_cert_chain: vector of Files::Info &optional;
 		
-		## An ordered vector of all certicate sha1 hashes for the
+		## An ordered vector of all certicate file unique IDs for the
 		## certificates offered by the client.
-		client_cert_chain_sha1s: vector of string &optional &log;
+		client_cert_chain_fuids: vector of string &optional &log;
 		
 		## Subject of the X.509 certificate offered by the server.
 		subject: string &log &optional;
@@ -107,22 +107,31 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 		{
 		c$ssl$cert_chain = vector();
 		c$ssl$client_cert_chain = vector();
+		c$ssl$cert_chain_fuids = string_vec();
+		c$ssl$client_cert_chain_fuids = string_vec();
 		}	
 
 	if ( is_orig )
+		{
 		c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f$info;
+		c$ssl$client_cert_chain_fuids[|c$ssl$client_cert_chain_fuids|] = f$id;
+		}
 	else
+		{
 		c$ssl$cert_chain[|c$ssl$cert_chain|] = f$info;
+		c$ssl$cert_chain_fuids[|c$ssl$cert_chain_fuids|] = f$id;
+		}
 
 	Files::add_analyzer(f, Files::ANALYZER_X509);
-	# always calculate hashes. SHA1 is always required for certificates.
+	# always calculate hashes. They are not necessary for base scripts
+	# but very useful for identification, and required for policy scripts
 	Files::add_analyzer(f, Files::ANALYZER_MD5);
 	Files::add_analyzer(f, Files::ANALYZER_SHA1);
 	}
 
 event ssl_established(c: connection) &priority=6
 	{
-	# update subject and issuer information as well as sha1 hashes
+	# update subject and issuer information
 	if ( c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 )
 		{
 		c$ssl$subject = c$ssl$cert_chain[0]$x509$certificate$subject;
@@ -134,19 +143,4 @@ event ssl_established(c: connection) &priority=6
 		c$ssl$client_subject = c$ssl$client_cert_chain[0]$x509$certificate$subject;
 		c$ssl$client_issuer = c$ssl$client_cert_chain[0]$x509$certificate$issuer;
 		}
-
-
-	if ( c$ssl?$cert_chain )
-		{
-		c$ssl$cert_chain_sha1s = string_vec();
-		for ( i in c$ssl$cert_chain )
-			c$ssl$cert_chain_sha1s[i] = c$ssl$cert_chain[i]$x509$sha1;
-		}
-
-	if ( c$ssl?$client_cert_chain )
-		{
-		c$ssl$client_cert_chain_sha1s = string_vec();
-		for ( i in c$ssl$client_cert_chain )
-			c$ssl$client_cert_chain_sha1s[i] = c$ssl$client_cert_chain[i]$x509$sha1;
-		}
 	}