diff --git a/src/libnm-client-impl/nm-libnm-utils.c b/src/libnm-client-impl/nm-libnm-utils.c
index d3d429eba..951db1bc1 100644
--- a/src/libnm-client-impl/nm-libnm-utils.c
+++ b/src/libnm-client-impl/nm-libnm-utils.c
@@ -10,7 +10,9 @@
 
 #include "libnm-glib-aux/nm-time-utils.h"
 #include "libnm-core-aux-intern/nm-common-macros.h"
+#include "libnm-crypto/nm-crypto.h"
 #include "nm-object.h"
+#include "nm-utils.h"
 
 /*****************************************************************************/
 
@@ -914,3 +916,58 @@ nm_utils_print(int output_mode, const char *msg)
     else
         g_return_if_reached();
 }
+
+/*****************************************************************************/
+
+/**
+ * nm_utils_file_is_certificate:
+ * @filename: name of the file to test
+ *
+ * Tests if @filename has a valid extension for an X.509 certificate file
+ * (".cer", ".crt", ".der", or ".pem"), and contains a certificate in a format
+ * recognized by NetworkManager.
+ *
+ * Returns: %TRUE if the file is a certificate, %FALSE if it is not
+ **/
+gboolean
+nm_utils_file_is_certificate(const char *filename)
+{
+    g_return_val_if_fail(filename != NULL, FALSE);
+
+    return nm_crypto_utils_file_is_certificate(filename);
+}
+
+/**
+ * nm_utils_file_is_private_key:
+ * @filename: name of the file to test
+ * @out_encrypted: (out): on return, whether the file is encrypted
+ *
+ * Tests if @filename has a valid extension for an X.509 private key file
+ * (".der", ".key", ".pem", or ".p12"), and contains a private key in a format
+ * recognized by NetworkManager.
+ *
+ * Returns: %TRUE if the file is a private key, %FALSE if it is not
+ **/
+gboolean
+nm_utils_file_is_private_key(const char *filename, gboolean *out_encrypted)
+{
+    g_return_val_if_fail(filename != NULL, FALSE);
+
+    return nm_crypto_utils_file_is_private_key(filename, out_encrypted);
+}
+
+/**
+ * nm_utils_file_is_pkcs12:
+ * @filename: name of the file to test
+ *
+ * Tests if @filename is a PKCS#<!-- -->12 file.
+ *
+ * Returns: %TRUE if the file is PKCS#<!-- -->12, %FALSE if it is not
+ **/
+gboolean
+nm_utils_file_is_pkcs12(const char *filename)
+{
+    g_return_val_if_fail(filename != NULL, FALSE);
+
+    return nm_crypto_is_pkcs12_file(filename, NULL);
+}
diff --git a/src/libnm-client-public/nm-client.h b/src/libnm-client-public/nm-client.h
index 8b00eab09..2e3e77c43 100644
--- a/src/libnm-client-public/nm-client.h
+++ b/src/libnm-client-public/nm-client.h
@@ -496,6 +496,10 @@ gboolean nm_client_dbus_set_property_finish(NMClient *client, GAsyncResult *resu
 NM_AVAILABLE_IN_1_30
 void nm_utils_print(int output_mode, const char *msg);
 
+gboolean nm_utils_file_is_certificate(const char *filename);
+gboolean nm_utils_file_is_private_key(const char *filename, gboolean *out_encrypted);
+gboolean nm_utils_file_is_pkcs12(const char *filename);
+
 G_END_DECLS
 
 #endif /* __NM_CLIENT_H__ */
diff --git a/src/libnm-core-impl/nm-utils.c b/src/libnm-core-impl/nm-utils.c
index 444476f65..d5d884f2e 100644
--- a/src/libnm-core-impl/nm-utils.c
+++ b/src/libnm-core-impl/nm-utils.c
@@ -17,7 +17,6 @@
 #include <linux/pkt_sched.h>
 #include <linux/if_infiniband.h>
 
-#include "libnm-crypto/nm-crypto.h"
 #include "libnm-glib-aux/nm-uuid.h"
 #include "libnm-glib-aux/nm-json-aux.h"
 #include "libnm-glib-aux/nm-str-buf.h"
@@ -3083,94 +3082,6 @@ nm_utils_uuid_generate(void)
 
 /*****************************************************************************/
 
-static gboolean
-file_has_extension(const char *filename, const char *extensions[])
-{
-    const char *ext;
-    gsize       i;
-
-    ext = strrchr(filename, '.');
-    if (!ext)
-        return FALSE;
-
-    for (i = 0; extensions[i]; i++) {
-        if (!g_ascii_strcasecmp(ext, extensions[i]))
-            return TRUE;
-    }
-
-    return FALSE;
-}
-
-/**
- * nm_utils_file_is_certificate:
- * @filename: name of the file to test
- *
- * Tests if @filename has a valid extension for an X.509 certificate file
- * (".cer", ".crt", ".der", or ".pem"), and contains a certificate in a format
- * recognized by NetworkManager.
- *
- * Returns: %TRUE if the file is a certificate, %FALSE if it is not
- **/
-gboolean
-nm_utils_file_is_certificate(const char *filename)
-{
-    const char        *extensions[] = {".der", ".pem", ".crt", ".cer", NULL};
-    NMCryptoFileFormat file_format;
-
-    g_return_val_if_fail(filename != NULL, FALSE);
-
-    if (!file_has_extension(filename, extensions))
-        return FALSE;
-
-    if (!nm_crypto_load_and_verify_certificate(filename, &file_format, NULL, NULL))
-        return FALSE;
-    return file_format = NM_CRYPTO_FILE_FORMAT_X509;
-}
-
-/**
- * nm_utils_file_is_private_key:
- * @filename: name of the file to test
- * @out_encrypted: (out): on return, whether the file is encrypted
- *
- * Tests if @filename has a valid extension for an X.509 private key file
- * (".der", ".key", ".pem", or ".p12"), and contains a private key in a format
- * recognized by NetworkManager.
- *
- * Returns: %TRUE if the file is a private key, %FALSE if it is not
- **/
-gboolean
-nm_utils_file_is_private_key(const char *filename, gboolean *out_encrypted)
-{
-    const char *extensions[] = {".der", ".pem", ".p12", ".key", NULL};
-
-    g_return_val_if_fail(filename != NULL, FALSE);
-
-    NM_SET_OUT(out_encrypted, FALSE);
-    if (!file_has_extension(filename, extensions))
-        return FALSE;
-
-    return nm_crypto_verify_private_key(filename, NULL, out_encrypted, NULL)
-           != NM_CRYPTO_FILE_FORMAT_UNKNOWN;
-}
-
-/**
- * nm_utils_file_is_pkcs12:
- * @filename: name of the file to test
- *
- * Tests if @filename is a PKCS#<!-- -->12 file.
- *
- * Returns: %TRUE if the file is PKCS#<!-- -->12, %FALSE if it is not
- **/
-gboolean
-nm_utils_file_is_pkcs12(const char *filename)
-{
-    g_return_val_if_fail(filename != NULL, FALSE);
-
-    return nm_crypto_is_pkcs12_file(filename, NULL);
-}
-
-/*****************************************************************************/
-
 gboolean
 _nm_utils_check_file(const char               *filename,
                      gint64                    check_owner,
diff --git a/src/libnm-core-impl/tests/test-crypto.c b/src/libnm-core-impl/tests/test-crypto.c
index cd2a2c0fd..896c3c2e6 100644
--- a/src/libnm-core-impl/tests/test-crypto.c
+++ b/src/libnm-core-impl/tests/test-crypto.c
@@ -92,7 +92,7 @@ test_cert(gconstpointer test_data)
     nmtst_assert_success(success, error);
     g_assert_cmpint(format, ==, NM_CRYPTO_FILE_FORMAT_X509);
 
-    g_assert(nm_utils_file_is_certificate(path));
+    g_assert(nm_crypto_utils_file_is_certificate(path));
 }
 
 static void
@@ -106,7 +106,7 @@ test_load_private_key(const char *path,
     gs_unref_bytes GBytes *array        = NULL;
     GError                *error        = NULL;
 
-    g_assert(nm_utils_file_is_private_key(path, &is_encrypted));
+    g_assert(nm_crypto_utils_file_is_private_key(path, &is_encrypted));
     g_assert(is_encrypted);
 
     array = nmtst_crypto_decrypt_openssl_private_key(path, password, &key_type, &error);
@@ -146,7 +146,7 @@ test_load_pkcs12(const char *path, const char *password, int expected_error)
     gboolean           is_encrypted = FALSE;
     GError            *error        = NULL;
 
-    g_assert(nm_utils_file_is_private_key(path, NULL));
+    g_assert(nm_crypto_utils_file_is_private_key(path, NULL));
 
     format = nm_crypto_verify_private_key(path, password, &is_encrypted, &error);
     if (expected_error != -1) {
@@ -167,7 +167,7 @@ test_load_pkcs12_no_password(const char *path)
     gboolean           is_encrypted = FALSE;
     GError            *error        = NULL;
 
-    g_assert(nm_utils_file_is_private_key(path, NULL));
+    g_assert(nm_crypto_utils_file_is_private_key(path, NULL));
 
     /* We should still get a valid returned crypto file format */
     format = nm_crypto_verify_private_key(path, NULL, &is_encrypted, &error);
@@ -201,7 +201,7 @@ test_load_pkcs8(const char *path, const char *password, int expected_error)
     gboolean           is_encrypted = FALSE;
     GError            *error        = NULL;
 
-    g_assert(nm_utils_file_is_private_key(path, NULL));
+    g_assert(nm_crypto_utils_file_is_private_key(path, NULL));
 
     format = nm_crypto_verify_private_key(path, password, &is_encrypted, &error);
     if (expected_error != -1) {
@@ -285,7 +285,7 @@ test_key_decrypted(gconstpointer test_data)
 
     path = g_build_filename(TEST_CERT_DIR, file, NULL);
 
-    g_assert(nm_utils_file_is_private_key(path, &is_encrypted));
+    g_assert(nm_crypto_utils_file_is_private_key(path, &is_encrypted));
     g_assert(!is_encrypted);
 
     g_free(path);
diff --git a/src/libnm-core-public/nm-utils.h b/src/libnm-core-public/nm-utils.h
index 0a7c7a813..5faed75a3 100644
--- a/src/libnm-core-public/nm-utils.h
+++ b/src/libnm-core-public/nm-utils.h
@@ -111,10 +111,6 @@ GPtrArray *nm_utils_ip_routes_from_variant(GVariant *value, int family);
 
 char *nm_utils_uuid_generate(void);
 
-gboolean nm_utils_file_is_certificate(const char *filename);
-gboolean nm_utils_file_is_private_key(const char *filename, gboolean *out_encrypted);
-gboolean nm_utils_file_is_pkcs12(const char *filename);
-
 typedef gboolean (*NMUtilsFileSearchInPathsPredicate)(const char *filename, gpointer user_data);
 
 struct stat;
diff --git a/src/libnm-crypto/nm-crypto.c b/src/libnm-crypto/nm-crypto.c
index 56f297e60..048010512 100644
--- a/src/libnm-crypto/nm-crypto.c
+++ b/src/libnm-crypto/nm-crypto.c
@@ -1042,3 +1042,54 @@ nmtst_crypto_rsa_key_encrypt(const guint8 *data,
     NM_SET_OUT(out_password, g_strdup(tmp_password));
     return nm_secret_buf_to_gbytes_take(ret, ret_len);
 }
+
+/*****************************************************************************/
+
+static gboolean
+file_has_extension(const char *filename, const char *extensions[])
+{
+    const char *ext;
+    gsize       i;
+
+    ext = strrchr(filename, '.');
+    if (!ext)
+        return FALSE;
+
+    for (i = 0; extensions[i]; i++) {
+        if (!g_ascii_strcasecmp(ext, extensions[i]))
+            return TRUE;
+    }
+
+    return FALSE;
+}
+
+gboolean
+nm_crypto_utils_file_is_certificate(const char *filename)
+{
+    const char        *extensions[] = {".der", ".pem", ".crt", ".cer", NULL};
+    NMCryptoFileFormat file_format;
+
+    nm_assert(filename);
+
+    if (!file_has_extension(filename, extensions))
+        return FALSE;
+
+    if (!nm_crypto_load_and_verify_certificate(filename, &file_format, NULL, NULL))
+        return FALSE;
+    return file_format = NM_CRYPTO_FILE_FORMAT_X509;
+}
+
+gboolean
+nm_crypto_utils_file_is_private_key(const char *filename, gboolean *out_encrypted)
+{
+    const char *extensions[] = {".der", ".pem", ".p12", ".key", NULL};
+
+    nm_assert(filename);
+
+    NM_SET_OUT(out_encrypted, FALSE);
+    if (!file_has_extension(filename, extensions))
+        return FALSE;
+
+    return nm_crypto_verify_private_key(filename, NULL, out_encrypted, NULL)
+           != NM_CRYPTO_FILE_FORMAT_UNKNOWN;
+}
diff --git a/src/libnm-crypto/nm-crypto.h b/src/libnm-crypto/nm-crypto.h
index a740c43c5..48c7c6b7a 100644
--- a/src/libnm-crypto/nm-crypto.h
+++ b/src/libnm-crypto/nm-crypto.h
@@ -93,4 +93,7 @@ guint8 *nmtst_crypto_make_des_aes_key(NMCryptoCipherType cipher,
 
 /*****************************************************************************/
 
+gboolean nm_crypto_utils_file_is_certificate(const char *filename);
+gboolean nm_crypto_utils_file_is_private_key(const char *filename, gboolean *out_encrypted);
+
 #endif /* __NM_CRYPTO_H__ */