diff --git a/ChangeLog.txt b/ChangeLog.txt
index daa344e3..178c1373 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -50,6 +50,8 @@ Broker:
 - Enabling certificate based TLS encryption is now through certfile and
   keyfile, not capath or cafile.
 - Added support for controlling UNSUBSCRIBE calls in v5 plugin ACL checks.
+- Document that X509_free() must be called after using
+  mosquitto_client_certificate(). Closes #1842.
 
 Client library:
 - Client no longer generates random client ids for v3.1.1 clients, these are
diff --git a/include/mosquitto_broker.h b/include/mosquitto_broker.h
index 6663bd38..08053efc 100644
--- a/include/mosquitto_broker.h
+++ b/include/mosquitto_broker.h
@@ -260,6 +260,9 @@ mosq_EXPORT int mosquitto_client_keepalive(const struct mosquitto *client);
  * NULL will be returned. This function will only ever return a non-NULL value
  * if the `require_certificate` option is set to true.
  *
+ * When you have finished with the x509 pointer, it must be freed using
+ * X509_free().
+ *
  * If TLS is not supported, this function will always return NULL.
  */
 mosq_EXPORT void *mosquitto_client_certificate(const struct mosquitto *client);