diff --git a/libnm-core/nm-setting-8021x.c b/libnm-core/nm-setting-8021x.c
index dbead4625..6a54b575c 100644
--- a/libnm-core/nm-setting-8021x.c
+++ b/libnm-core/nm-setting-8021x.c
@@ -416,7 +416,32 @@ get_cert_scheme (GBytes *bytes, GError **error)
 	}
 
 	data = g_bytes_get_data (bytes, &length);
-	if (!length) {
+	return nm_setting_802_1x_check_cert_scheme (data, length, error);
+}
+
+/**
+ * nm_setting_802_1x_check_cert_scheme:
+ * @pdata: (allow-none): the data pointer
+ * @length: the length of the data
+ * @error: (allow-none): (out): validation reason
+ *
+ * Determines and verifies the blob type.
+ * When setting certificate properties of NMSetting8021x
+ * the blob must be not UNKNOWN (or NULL).
+ *
+ * Returns: the scheme of the blob or %NM_SETTING_802_1X_CK_SCHEME_UNKNOWN.
+ * For NULL it also returns NM_SETTING_802_1X_CK_SCHEME_UNKNOWN.
+ *
+ * Since: 1.2
+ **/
+NMSetting8021xCKScheme
+nm_setting_802_1x_check_cert_scheme (gconstpointer pdata, gsize length, GError **error)
+{
+	const char *data = pdata;
+
+	g_return_val_if_fail (!length || data, NM_SETTING_802_1X_CK_SCHEME_UNKNOWN);
+
+	if (!length || !data) {
 		g_set_error_literal (error,
 		                     NM_CONNECTION_ERROR,
 		                     NM_CONNECTION_ERROR_INVALID_PROPERTY,
@@ -484,11 +509,8 @@ load_and_verify_certificate (const char *cert_path,
 		 * file://.
 		 * If that's the case, coerce the format to UNKNOWN. The callers will take care
 		 * of that and not set the blob. */
-		GBytes *bytes = g_bytes_new_static (array->data, array->len);
-
-		if (get_cert_scheme (bytes, NULL) != NM_SETTING_802_1X_CK_SCHEME_BLOB)
+		if (nm_setting_802_1x_check_cert_scheme (array->data, array->len, NULL) != NM_SETTING_802_1X_CK_SCHEME_BLOB)
 			format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
-		g_bytes_unref (bytes);
 	}
 
 	if (out_file_format)
diff --git a/libnm-core/nm-setting-8021x.h b/libnm-core/nm-setting-8021x.h
index 43885daaa..326165aa5 100644
--- a/libnm-core/nm-setting-8021x.h
+++ b/libnm-core/nm-setting-8021x.h
@@ -147,6 +147,9 @@ GType nm_setting_802_1x_get_type (void);
 
 NMSetting *nm_setting_802_1x_new (void);
 
+NM_AVAILABLE_IN_1_2
+NMSetting8021xCKScheme nm_setting_802_1x_check_cert_scheme (gconstpointer pdata, gsize length, GError **error);
+
 guint32           nm_setting_802_1x_get_num_eap_methods              (NMSetting8021x *setting);
 const char *      nm_setting_802_1x_get_eap_method                   (NMSetting8021x *setting, guint32 i);
 gboolean          nm_setting_802_1x_add_eap_method                   (NMSetting8021x *setting, const char *eap);
diff --git a/libnm/libnm.ver b/libnm/libnm.ver
index 258336ae3..44b83f6ec 100644
--- a/libnm/libnm.ver
+++ b/libnm/libnm.ver
@@ -847,6 +847,7 @@ local:
 
 libnm_1_2_0 {
 global:
+	nm_setting_802_1x_check_cert_scheme;
 	nm_setting_bridge_get_multicast_snooping;
 	nm_setting_wireless_get_powersave;
 	nm_utils_bond_mode_int_to_string;