diff --git a/src/tlshd/handshake.c b/src/tlshd/handshake.c
index 8240b10..53c91e2 100644
--- a/src/tlshd/handshake.c
+++ b/src/tlshd/handshake.c
@@ -181,6 +181,9 @@ void tlshd_service_socket(void)
 out:
 	tlshd_genl_done(&parms);
 
+	if (parms.keyring)
+		keyctl_unlink(parms.keyring, KEY_SPEC_SESSION_KEYRING);
+
 	free(parms.peerids);
 
 	if (parms.session_status) {
diff --git a/src/tlshd/keyring.c b/src/tlshd/keyring.c
index 7894b71..f499a76 100644
--- a/src/tlshd/keyring.c
+++ b/src/tlshd/keyring.c
@@ -247,7 +247,7 @@ key_serial_t tlshd_keyring_create_cert(gnutls_x509_crt_t cert,
 
 /**
  * tlshd_keyring_link_session - Link a keyring into the session keyring
- * @serial: serial number of the keyring to be linked
+ * @keyring: keyring to be linked
  *
  * Returns 0 on success and -1 on error.
  */
diff --git a/src/tlshd/netlink.c b/src/tlshd/netlink.c
index f6038f3..ff9e35a 100644
--- a/src/tlshd/netlink.c
+++ b/src/tlshd/netlink.c
@@ -101,6 +101,7 @@ tlshd_accept_nl_policy[HANDSHAKE_A_ACCEPT_MAX + 1] = {
 	[HANDSHAKE_A_ACCEPT_PEER_IDENTITY]	= { .type = NLA_U32, },
 	[HANDSHAKE_A_ACCEPT_CERTIFICATE]	= { .type = NLA_NESTED, },
 	[HANDSHAKE_A_ACCEPT_PEERNAME]		= { .type = NLA_STRING, },
+	[HANDSHAKE_A_ACCEPT_KEYRING]		= { .type = NLA_U32, },
 };
 
 static int tlshd_genl_event_handler(struct nl_msg *msg,
@@ -267,11 +268,21 @@ static int tlshd_genl_valid_handler(struct nl_msg *msg, void *arg)
 		parms->handshake_type = nla_get_u32(tb[HANDSHAKE_A_ACCEPT_MESSAGE_TYPE]);
 	if (tb[HANDSHAKE_A_ACCEPT_PEERNAME])
 		peername = nla_get_string(tb[HANDSHAKE_A_ACCEPT_PEERNAME]);
+	if (tb[HANDSHAKE_A_ACCEPT_KEYRING])
+		parms->keyring = nla_get_u32(tb[HANDSHAKE_A_ACCEPT_KEYRING]);
 	if (tb[HANDSHAKE_A_ACCEPT_TIMEOUT])
 		parms->timeout_ms = nla_get_u32(tb[HANDSHAKE_A_ACCEPT_TIMEOUT]);
 	if (tb[HANDSHAKE_A_ACCEPT_AUTH_MODE])
 		parms->auth_mode = nla_get_u32(tb[HANDSHAKE_A_ACCEPT_AUTH_MODE]);
 
+	if (parms->keyring) {
+		err = keyctl_link(parms->keyring, KEY_SPEC_SESSION_KEYRING);
+		if (err < 0) {
+			tlshd_log_debug("Failed to link keyring %lx error %d\n",
+					parms->keyring, errno);
+		}
+	}
+
 	tlshd_parse_peer_identity(parms, tb[HANDSHAKE_A_ACCEPT_PEER_IDENTITY]);
 	tlshd_parse_certificate(parms, tb[HANDSHAKE_A_ACCEPT_CERTIFICATE]);
 
diff --git a/src/tlshd/netlink.h b/src/tlshd/netlink.h
index 3d7ea58..662e7de 100644
--- a/src/tlshd/netlink.h
+++ b/src/tlshd/netlink.h
@@ -45,6 +45,7 @@ enum {
 	HANDSHAKE_A_ACCEPT_PEER_IDENTITY,
 	HANDSHAKE_A_ACCEPT_CERTIFICATE,
 	HANDSHAKE_A_ACCEPT_PEERNAME,
+	HANDSHAKE_A_ACCEPT_KEYRING,
 
 	__HANDSHAKE_A_ACCEPT_MAX,
 	HANDSHAKE_A_ACCEPT_MAX = (__HANDSHAKE_A_ACCEPT_MAX - 1)
diff --git a/src/tlshd/tlshd.h b/src/tlshd/tlshd.h
index 9f7de58..135e1e0 100644
--- a/src/tlshd/tlshd.h
+++ b/src/tlshd/tlshd.h
@@ -36,6 +36,7 @@ struct tlshd_handshake_parms {
 	uint32_t	handshake_type;
 	unsigned int	timeout_ms;
 	uint32_t	auth_mode;
+	key_serial_t	keyring;
 	key_serial_t	x509_cert;
 	key_serial_t	x509_privkey;
 	key_serial_t	*peerids;