diff --git a/lib/SimpleSAML/Bindings/Shib13/Artifact.php b/lib/SimpleSAML/Bindings/Shib13/Artifact.php
index 263335e37d554c1c24fccea8b27f787ed7953381..d1693373d2656826a7d021d78cc26df88082c1f4 100644
--- a/lib/SimpleSAML/Bindings/Shib13/Artifact.php
+++ b/lib/SimpleSAML/Bindings/Shib13/Artifact.php
@@ -137,8 +137,7 @@ class SimpleSAML_Bindings_Shib13_Artifact {
 			SimpleSAML_Utilities::writeFile($file, $certData);
 		}
 
-		$globalConfig = SimpleSAML_Configuration::getInstance();
-		$spKeyCertFile = $globalConfig->getPathValue('certdir', 'cert/') . $spMetadata->getString('privatekey');
+		$spKeyCertFile = SimpleSAML_Utilities::resolveCert($spMetadata->getString('privatekey'));
 
 		$opts = array(
 			'ssl' => array(
diff --git a/lib/SimpleSAML/Metadata/Signer.php b/lib/SimpleSAML/Metadata/Signer.php
index bd81709f2b23aa9af9f8e30bd0b979cd6c12a0ab..d6964690f2631f9290ff94f78bb997167a4b1996 100644
--- a/lib/SimpleSAML/Metadata/Signer.php
+++ b/lib/SimpleSAML/Metadata/Signer.php
@@ -143,13 +143,13 @@ class SimpleSAML_Metadata_Signer {
 
 		$keyCertFiles = self::findKeyCert($config, $entityMetadata, $type);
 
-		$keyFile = $config->getPathValue('certdir', 'cert/') . $keyCertFiles['privatekey'];
+		$keyFile = SimpleSAML_Utilities::resolveCert($keyCertFiles['privatekey']);
 		if (!file_exists($keyFile)) {
 			throw new Exception('Could not find private key file [' . $keyFile . '], which is needed to sign the metadata');
 		}
 		$keyData = file_get_contents($keyFile);
 
-		$certFile = $config->getPathValue('certdir', 'cert/') . $keyCertFiles['certificate'];
+		$certFile = SimpleSAML_Utilities::resolveCert($keyCertFiles['certificate']);
 		if (!file_exists($certFile)) {
 			throw new Exception('Could not find certificate file [' . $certFile . '], which is needed to sign the metadata');
 		}
diff --git a/lib/SimpleSAML/Utilities.php b/lib/SimpleSAML/Utilities.php
index dea9998d59c22d34e52d5e141015b4155d77e5a6..18ff41bc463e369181ada626ceef00189e52dc6a 100644
--- a/lib/SimpleSAML/Utilities.php
+++ b/lib/SimpleSAML/Utilities.php
@@ -1478,6 +1478,21 @@ class SimpleSAML_Utilities {
 	}
 
 
+	/**
+	 * Resolves a path that may be relative to the cert-directory.
+	 *
+	 * @param string $path  The (possibly relative) path to the file.
+	 * @return string  The file path.
+	 */
+	public static function resolveCert($path) {
+		assert('is_string($path)');
+
+		$globalConfig = SimpleSAML_Configuration::getInstance();
+		$base = $globalConfig->getPathValue('certdir', 'cert/');
+		return SimpleSAML_Utilities::resolvePath($path, $base);
+	}
+
+
 	/**
 	 * Get public key or certificate from metadata.
 	 *
@@ -1525,8 +1540,7 @@ class SimpleSAML_Utilities {
 
 		} elseif (array_key_exists($prefix . 'certificate', $metadata)) {
 			/* Reference to certificate file. */
-			$config = SimpleSAML_Configuration::getInstance();
-			$file = $config->getPathValue('certdir', 'cert/') . $metadata[$prefix . 'certificate'];
+			$file = SimpleSAML_Utilities::resolveCert($metadata[$prefix . 'certificate']);
 			$data = @file_get_contents($file);
 			if ($data === FALSE) {
 				throw new Exception('Unable to load certificate/public key from file "' . $file . '"');
@@ -1612,8 +1626,7 @@ class SimpleSAML_Utilities {
 			}
 		}
 
-		$config = SimpleSAML_Configuration::getInstance();
-		$file = $config->getPathValue('certdir', 'cert/') . $metadata[$prefix . 'privatekey'];
+		$file = SimpleSAML_Utilities::resolveCert($metadata[$prefix . 'privatekey']);
 		$data = @file_get_contents($file);
 		if ($data === FALSE) {
 			throw new Exception('Unable to load private key from file "' . $file . '"');
diff --git a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
index 5a3ba1406574cf0067e61d0dc07bd8ac7edc6f39..56ba0c114fc22edad983adbd784e0e15f3d25a74 100644
--- a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
@@ -98,8 +98,7 @@ class SimpleSAML_XML_Shib13_AuthnResponse {
 			$this->validator->validateFingerprint($issuerFingerprint);
 		} elseif(array_key_exists('caFile', $md)) {
 			/* Validate against CA. */
-			$globalConfig = SimpleSAML_Configuration::getInstance();
-			$this->validator->validateCA($globalConfig->getPathValue('certdir', 'cert/') . $md['caFile']);
+			$this->validator->validateCA(SimpleSAML_Utilities::resolveCert($md['caFile']));
 		} else {
 			throw new Exception('Required field [certFingerprint] or [caFile] in Shibboleth 1.3 IdP Remote metadata was not found for identity provider [' . $issuer . ']. Please add a fingerprint and try again. You can add a dummy fingerprint first, and then an error message will be printed with the real fingerprint.');
 		}
diff --git a/lib/SimpleSAML/XML/Signer.php b/lib/SimpleSAML/XML/Signer.php
index f07f48b020ba169028e8f95a68080cb4da96d04c..7072e27c660a78a10252e6dd73df820436f01ba5 100644
--- a/lib/SimpleSAML/XML/Signer.php
+++ b/lib/SimpleSAML/XML/Signer.php
@@ -12,11 +12,6 @@
 class SimpleSAML_XML_Signer {
 
 
-	/**
-	 * The path to the simpleSAMLphp cert dir.
-	 */
-	private static $certDir = FALSE;
-
 	/**
 	 * The name of the ID attribute.
 	 */
@@ -58,11 +53,6 @@ class SimpleSAML_XML_Signer {
 	public function __construct($options = array()) {
 		assert('is_array($options)');
 
-		if(self::$certDir === FALSE) {
-			$config = SimpleSAML_Configuration::getInstance();
-			self::$certDir = $config->getPathValue('certdir', 'cert/');
-		}
-
 		$this->idAttrName = FALSE;
 		$this->privateKey = FALSE;
 		$this->certificate = FALSE;
@@ -128,7 +118,7 @@ class SimpleSAML_XML_Signer {
 		assert('is_string($file)');
 		assert('is_string($pass) || is_null($pass)');
 
-		$keyFile = self::$certDir . $file;
+		$keyFile = SimpleSAML_Utilities::resolveCert($file);
 		if (!file_exists($keyFile)) {
 			throw new Exception('Could not find private key file "' . $keyFile . '".');
 		}
@@ -178,7 +168,7 @@ class SimpleSAML_XML_Signer {
 	public function loadCertificate($file) {
 		assert('is_string($file)');
 
-		$certFile = self::$certDir . $file;
+		$certFile = SimpleSAML_Utilities::resolveCert($file);
 		if (!file_exists($certFile)) {
 			throw new Exception('Could not find certificate file "' . $certFile . '".');
 		}
@@ -213,7 +203,7 @@ class SimpleSAML_XML_Signer {
 	public function addCertificate($file) {
 		assert('is_string($file)');
 
-		$certFile = self::$certDir . $file;
+		$certFile = SimpleSAML_Utilities::resolveCert($file);
 		if (!file_exists($certFile)) {
 			throw new Exception('Could not find extra certificate file "' . $certFile . '".');
 		}
diff --git a/modules/adfs/lib/IdP/ADFS.php b/modules/adfs/lib/IdP/ADFS.php
index da55aa28a832d52f50db049250e192f1cc00c887..144a7a2a15066a57e322bbc7a7b2ab39d94502a6 100644
--- a/modules/adfs/lib/IdP/ADFS.php
+++ b/modules/adfs/lib/IdP/ADFS.php
@@ -156,9 +156,9 @@ class sspmod_adfs_IdP_ADFS {
 		
 		$response = sspmod_adfs_IdP_ADFS::ADFS_GenerateResponse($idpEntityId, $spEntityId, $nameid, $attributes);
 
-		$config = SimpleSAML_Configuration::getInstance();
-		$certdir = $config->getPathValue('certdir', 'cert/');		
-		$wresult = sspmod_adfs_IdP_ADFS::ADFS_SignResponse($response, $certdir . $idpMetadata->getString('privatekey'), $certdir . $idpMetadata->getString('certificate'));
+		$privateKeyFile = SimpleSAML_Utilities::resolveCert($idpMetadata->getString('privatekey'));
+		$certificateFile = SimpleSAML_Utilities::resolveCert($idpMetadata->getString('certificate'));
+		$wresult = sspmod_adfs_IdP_ADFS::ADFS_SignResponse($response, $privateKeyFile, $certificateFile);
 
 		$wctx = $state['adfs:wctx'];
 		sspmod_adfs_IdP_ADFS::ADFS_PostResponse($spMetadata->getValue('prp'), $wresult, $wctx);
diff --git a/modules/saml2/lib/Message.php b/modules/saml2/lib/Message.php
index 10e41a4dcb59c84eeb573470c7429baca17c2e28..6a5b5441800b198a668b38c0a4afaad0e0772540 100644
--- a/modules/saml2/lib/Message.php
+++ b/modules/saml2/lib/Message.php
@@ -164,8 +164,7 @@ class sspmod_saml2_Message {
 					'Missing certificate in metadata for ' .
 					var_export($srcMetadata->getString('entityid'), TRUE));
 			}
-			$globalConfig = SimpleSAML_Configuration::getInstance();
-			$caFile = $globalConfig->getPathValue('certdir', 'cert/') . $caFile;
+			$caFile = SimpleSAML_Utilities::resolveCert($caFile);
 
 			if (count($certificates) === 0) {
 				/* We need the full certificate in order to check it against the CA file. */
diff --git a/www/wsfed/sp/prp.php b/www/wsfed/sp/prp.php
index d5c3becc79a338afc36e034585d7dc2f69fd1463..be7f77280285d667987871fbad3c6518f3eef6e6 100644
--- a/www/wsfed/sp/prp.php
+++ b/www/wsfed/sp/prp.php
@@ -78,7 +78,7 @@ try {
 
 	/* Find the certificate used by the IdP. */
 	if(array_key_exists('certificate', $idpMetadata)) {
-		$certFile = $config->getPathvalue('certdir', 'cert/') . $idpMetadata['certificate'];
+		SimpleSAML_Utilities::resolveCert($idpMetadata['certificate']);
 	} else {
 		throw new Exception('Missing \'certificate\' metadata option in the \'wsfed-idp-remote\' metadata' .
 			' for the IdP \'' .  $idpEntityId . '\'.');