diff --git a/acme4j-client/src/main/java/org/shredzone/acme4j/Certificate.java b/acme4j-client/src/main/java/org/shredzone/acme4j/Certificate.java
index aafc9204..9cf1d469 100644
--- a/acme4j-client/src/main/java/org/shredzone/acme4j/Certificate.java
+++ b/acme4j-client/src/main/java/org/shredzone/acme4j/Certificate.java
@@ -19,6 +19,7 @@ import java.net.URL;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;
 
 import org.shredzone.acme4j.connector.Connection;
@@ -140,7 +141,7 @@ public class Certificate extends AcmeResource {
 
             chain = certChain.toArray(new X509Certificate[certChain.size()]);
         }
-        return chain;
+        return Arrays.copyOf(chain, chain.length);
     }
 
     /**
diff --git a/acme4j-client/src/test/java/org/shredzone/acme4j/CertificateTest.java b/acme4j-client/src/test/java/org/shredzone/acme4j/CertificateTest.java
index 92954836..e9fddd4f 100644
--- a/acme4j-client/src/test/java/org/shredzone/acme4j/CertificateTest.java
+++ b/acme4j-client/src/test/java/org/shredzone/acme4j/CertificateTest.java
@@ -101,6 +101,11 @@ public class CertificateTest {
         assertThat(downloadedChain.length, is(1));
         assertThat(downloadedChain[0], is(sameInstance(originalCert)));
 
+        // Make sure the chain array is a local copy
+        downloadedChain[0] = null;
+        X509Certificate[] downloadedChain2 = cert.downloadChain();
+        assertThat(downloadedChain2[0], is(sameInstance(originalCert)));
+
         provider.close();
     }