diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index aa2dafe..a327b23 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -120,13 +120,13 @@ static X509_NAME *cnnic_ev_name =
 
 static Mutex* mutexes;
 
-static const char* const root_certs[] = {
+const char* const root_certs[] = {
 #include "node_root_certs.h"  // NOLINT(build/include_order)
 };
 
-static std::string extra_root_certs_file;  // NOLINT(runtime/string)
+std::string extra_root_certs_file;  // NOLINT(runtime/string)
 
-static X509_STORE* root_cert_store;
+X509_STORE* root_cert_store;
 
 // Just to generate static methods
 template class SSLWrap<TLSWrap>;
@@ -865,8 +865,6 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
     }
   }
 
-  // Increment reference count so global store is not deleted along with CTX.
-  X509_STORE_up_ref(root_cert_store);
   SSL_CTX_set_cert_store(sc->ctx_, root_cert_store);
 }
 
diff --git a/src/node_crypto.h b/src/node_crypto.h
index 746c954..06a9017 100644
--- a/src/node_crypto.h
+++ b/src/node_crypto.h
@@ -63,6 +63,8 @@ enum CheckResult {
 
 extern int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx);
 
+extern X509_STORE* root_cert_store;
+
 extern void UseExtraCaCerts(const std::string& file);
 
 // Forward declaration
@@ -143,6 +145,13 @@ class SecureContext : public BaseObject {
     }
 
     env()->isolate()->AdjustAmountOfExternalAllocatedMemory(-kExternalSize);
+    if (ctx_->cert_store == root_cert_store) {
+      // SSL_CTX_free() will attempt to free the cert_store as well.
+      // Since we want our root_cert_store to stay around forever
+      // we just clear the field. Hopefully OpenSSL will not modify this
+      // struct in future versions.
+      ctx_->cert_store = nullptr;
+    }
     SSL_CTX_free(ctx_);
     if (cert_ != nullptr)
       X509_free(cert_);