diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index cc19e38284bd82..9e3c63b5ec9245 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -2466,7 +2466,7 @@ void SSLWrap<Base>::CertCbDone(const FunctionCallbackInfo<Value>& args) {
     // Store the SNI context for later use.
     w->sni_context_ = BaseObjectPtr<SecureContext>(sc);
 
-    if (UseSNIContext(w->ssl_, sc) && !w->SetCACerts(sc)) {
+    if (UseSNIContext(w->ssl_, w->sni_context_) && !w->SetCACerts(sc)) {
       // Not clear why sometimes we throw error, and sometimes we call
       // onerror(). Both cause .destroy(), but onerror does a bit more.
       unsigned long err = ERR_get_error();  // NOLINT(runtime/int)
diff --git a/src/node_crypto_common.cc b/src/node_crypto_common.cc
index 197bc5cd5913a4..9358edb66b3cb9 100644
--- a/src/node_crypto_common.cc
+++ b/src/node_crypto_common.cc
@@ -1,3 +1,4 @@
+#include "base_object-inl.h"
 #include "env-inl.h"
 #include "node_buffer.h"
 #include "node_crypto.h"
@@ -223,7 +224,7 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)
   return err;
 }
 
-int UseSNIContext(const SSLPointer& ssl, SecureContext* context) {
+int UseSNIContext(const SSLPointer& ssl, BaseObjectPtr<SecureContext> context) {
   SSL_CTX* ctx = context->ctx_.get();
   X509* x509 = SSL_CTX_get0_certificate(ctx);
   EVP_PKEY* pkey = SSL_CTX_get0_privatekey(ctx);
diff --git a/src/node_crypto_common.h b/src/node_crypto_common.h
index 8d40052bcca2f9..c373a97e4763a4 100644
--- a/src/node_crypto_common.h
+++ b/src/node_crypto_common.h
@@ -71,7 +71,7 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)
     const SSLPointer& ssl,
     long def = X509_V_ERR_UNSPECIFIED);  // NOLINT(runtime/int)
 
-int UseSNIContext(const SSLPointer& ssl, SecureContext* context);
+int UseSNIContext(const SSLPointer& ssl, BaseObjectPtr<SecureContext> context);
 
 const char* GetClientHelloALPN(const SSLPointer& ssl);