diff --git a/src/lib/crypt_ops/crypto_dh.c b/src/lib/crypt_ops/crypto_dh.c
index 3e82996935..ab06fd4969 100644
--- a/src/lib/crypt_ops/crypto_dh.c
+++ b/src/lib/crypt_ops/crypto_dh.c
@@ -269,7 +269,7 @@ crypto_dh_new(int dh_type)
   /* LCOV_EXCL_START
    * This error condition is only reached when an allocation fails */
  err:
-  crypto_log_errors(LOG_WARN, "creating DH object");
+  crypto_openssl_log_errors(LOG_WARN, "creating DH object");
   if (res->dh) DH_free(res->dh); /* frees p and g too */
   tor_free(res);
   return NULL;
@@ -309,7 +309,7 @@ crypto_dh_generate_public(crypto_dh_t *dh)
   if (!DH_generate_key(dh->dh)) {
     /* LCOV_EXCL_START
      * To test this we would need some way to tell openssl to break DH. */
-    crypto_log_errors(LOG_WARN, "generating DH key");
+    crypto_openssl_log_errors(LOG_WARN, "generating DH key");
     return -1;
     /* LCOV_EXCL_STOP */
   }
@@ -472,7 +472,7 @@ crypto_dh_compute_secret(int severity, crypto_dh_t *dh,
  error:
   result = -1;
  done:
-  crypto_log_errors(LOG_WARN, "completing DH handshake");
+  crypto_openssl_log_errors(LOG_WARN, "completing DH handshake");
   if (pubkey_bn)
     BN_clear_free(pubkey_bn);
   if (secret_tmp) {
diff --git a/src/lib/crypt_ops/crypto_openssl_mgt.c b/src/lib/crypt_ops/crypto_openssl_mgt.c
index b0c88bff4d..bf5b96f9a5 100644
--- a/src/lib/crypt_ops/crypto_openssl_mgt.c
+++ b/src/lib/crypt_ops/crypto_openssl_mgt.c
@@ -17,6 +17,7 @@
 #include "lib/string/util_string.h"
 #include "lib/lock/compat_mutex.h"
 #include "lib/log/log.h"
+#include "lib/log/util_bug.h"
 #include "lib/testsupport/testsupport.h"
 #include "lib/thread/threads.h"
 
@@ -53,6 +54,27 @@ STATIC void openssl_locking_cb_(int mode, int n, const char *file, int line);
 STATIC void tor_set_openssl_thread_id(CRYPTO_THREADID *threadid);
 #endif
 
+/** Log all pending crypto errors at level <b>severity</b>.  Use
+ * <b>doing</b> to describe our current activities.
+ */
+void
+crypto_openssl_log_errors(int severity, const char *doing)
+{
+  unsigned long err;
+  const char *msg, *lib, *func;
+  while ((err = ERR_get_error()) != 0) {
+    msg = (const char*)ERR_reason_error_string(err);
+    lib = (const char*)ERR_lib_error_string(err);
+    func = (const char*)ERR_func_error_string(err);
+    if (!msg) msg = "(null)";
+    if (!lib) lib = "(null)";
+    if (!func) func = "(null)";
+    if (BUG(!doing)) doing = "(null)";
+    tor_log(severity, LD_CRYPTO, "crypto error while %s: %s (in %s:%s)",
+              doing, msg, lib, func);
+  }
+}
+
 /* Returns a trimmed and human-readable version of an openssl version string
 * <b>raw_version</b>. They are usually in the form of 'OpenSSL 1.0.0b 10
 * May 2012' and this will parse them into a form similar to '1.0.0b' */
diff --git a/src/lib/crypt_ops/crypto_openssl_mgt.h b/src/lib/crypt_ops/crypto_openssl_mgt.h
index 60583a056e..417bb36f01 100644
--- a/src/lib/crypt_ops/crypto_openssl_mgt.h
+++ b/src/lib/crypt_ops/crypto_openssl_mgt.h
@@ -69,6 +69,8 @@
 #define NEW_THREAD_API
 #endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5) && ... */
 
+void crypto_openssl_log_errors(int severity, const char *doing);
+
 /* global openssl state */
 const char * crypto_openssl_get_version_str(void);
 const char * crypto_openssl_get_header_version_str(void);
diff --git a/src/lib/crypt_ops/crypto_rsa.c b/src/lib/crypt_ops/crypto_rsa.c
index f0fd6d5f4b..d8a9be7ec9 100644
--- a/src/lib/crypt_ops/crypto_rsa.c
+++ b/src/lib/crypt_ops/crypto_rsa.c
@@ -207,7 +207,7 @@ crypto_pk_generate_key_with_bits,(crypto_pk_t *env, int bits))
   }
 
   if (!env->key) {
-    crypto_log_errors(LOG_WARN, "generating RSA key");
+    crypto_openssl_log_errors(LOG_WARN, "generating RSA key");
     return -1;
   }
 
@@ -252,7 +252,7 @@ crypto_pk_read_private_key_from_string(crypto_pk_t *env,
   BIO_free(b);
 
   if (!env->key) {
-    crypto_log_errors(LOG_WARN, "Error parsing private key");
+    crypto_openssl_log_errors(LOG_WARN, "Error parsing private key");
     return -1;
   }
   return 0;
@@ -316,7 +316,7 @@ crypto_pk_write_key_to_string_impl(crypto_pk_t *env, char **dest,
     r = PEM_write_bio_RSAPrivateKey(b, env->key, NULL,NULL,0,NULL,NULL);
 
   if (!r) {
-    crypto_log_errors(LOG_WARN, "writing RSA key to string");
+    crypto_openssl_log_errors(LOG_WARN, "writing RSA key to string");
     BIO_free(b);
     return -1;
   }
@@ -382,7 +382,7 @@ crypto_pk_read_public_key_from_string(crypto_pk_t *env, const char *src,
   env->key = PEM_read_bio_RSAPublicKey(b, NULL, pem_no_password_cb, NULL);
   BIO_free(b);
   if (!env->key) {
-    crypto_log_errors(LOG_WARN, "reading public key from string");
+    crypto_openssl_log_errors(LOG_WARN, "reading public key from string");
     return -1;
   }
 
@@ -408,7 +408,7 @@ crypto_pk_write_private_key_to_filename(crypto_pk_t *env,
     return -1;
   if (PEM_write_bio_RSAPrivateKey(bio, env->key, NULL,NULL,0,NULL,NULL)
       == 0) {
-    crypto_log_errors(LOG_WARN, "writing private key");
+    crypto_openssl_log_errors(LOG_WARN, "writing private key");
     BIO_free(bio);
     return -1;
   }
@@ -434,7 +434,7 @@ crypto_pk_check_key(crypto_pk_t *env)
 
   r = RSA_check_key(env->key);
   if (r <= 0)
-    crypto_log_errors(LOG_WARN,"checking RSA key");
+    crypto_openssl_log_errors(LOG_WARN,"checking RSA key");
   return r;
 }
 
@@ -601,7 +601,7 @@ crypto_pk_copy_full(crypto_pk_t *env)
      */
     log_err(LD_CRYPTO, "Unable to duplicate a %s key: openssl failed.",
             privatekey?"private":"public");
-    crypto_log_errors(LOG_ERR,
+    crypto_openssl_log_errors(LOG_ERR,
                       privatekey ? "Duplicating a private key" :
                       "Duplicating a public key");
     tor_fragile_assert();
@@ -777,7 +777,7 @@ crypto_pk_public_encrypt(crypto_pk_t *env, char *to, size_t tolen,
                          (unsigned char*)from, (unsigned char*)to,
                          env->key, crypto_get_rsa_padding(padding));
   if (r<0) {
-    crypto_log_errors(LOG_WARN, "performing RSA encryption");
+    crypto_openssl_log_errors(LOG_WARN, "performing RSA encryption");
     return -1;
   }
   return r;
@@ -813,7 +813,7 @@ crypto_pk_private_decrypt(crypto_pk_t *env, char *to,
                           env->key, crypto_get_rsa_padding(padding));
 
   if (r<0) {
-    crypto_log_errors(warnOnFailure?LOG_WARN:LOG_DEBUG,
+    crypto_openssl_log_errors(warnOnFailure?LOG_WARN:LOG_DEBUG,
                       "performing RSA decryption");
     return -1;
   }
@@ -844,7 +844,7 @@ crypto_pk_public_checksig,(const crypto_pk_t *env, char *to,
                          env->key, RSA_PKCS1_PADDING);
 
   if (r<0) {
-    crypto_log_errors(LOG_INFO, "checking RSA signature");
+    crypto_openssl_log_errors(LOG_INFO, "checking RSA signature");
     return -1;
   }
   return r;
@@ -876,7 +876,7 @@ crypto_pk_private_sign(const crypto_pk_t *env, char *to, size_t tolen,
                           (unsigned char*)from, (unsigned char*)to,
                           (RSA*)env->key, RSA_PKCS1_PADDING);
   if (r<0) {
-    crypto_log_errors(LOG_WARN, "generating RSA signature");
+    crypto_openssl_log_errors(LOG_WARN, "generating RSA signature");
     return -1;
   }
   return r;
@@ -921,7 +921,7 @@ crypto_pk_asn1_decode(const char *str, size_t len)
   rsa = d2i_RSAPublicKey(NULL, &cp, len);
   tor_free(buf);
   if (!rsa) {
-    crypto_log_errors(LOG_WARN,"decoding public key");
+    crypto_openssl_log_errors(LOG_WARN,"decoding public key");
     return NULL;
   }
   return crypto_new_pk_from_rsa_(rsa);
@@ -1165,7 +1165,7 @@ crypto_pk_base64_decode(const char *str, size_t len)
   const unsigned char *dp = (unsigned char*)der; /* Shut the compiler up. */
   RSA *rsa = d2i_RSAPrivateKey(NULL, &dp, der_len);
   if (!rsa) {
-    crypto_log_errors(LOG_WARN, "decoding private key");
+    crypto_openssl_log_errors(LOG_WARN, "decoding private key");
     goto out;
   }
 
diff --git a/src/lib/crypt_ops/crypto_util.c b/src/lib/crypt_ops/crypto_util.c
index 79988c6a91..a645321bfb 100644
--- a/src/lib/crypt_ops/crypto_util.c
+++ b/src/lib/crypt_ops/crypto_util.c
@@ -10,7 +10,6 @@
  * \brief Common cryptographic utilities.
  **/
 
-#ifndef CRYPTO_UTIL_PRIVATE
 #define CRYPTO_UTIL_PRIVATE
 
 #include "lib/crypt_ops/crypto_util.h"
@@ -105,25 +104,3 @@ memwipe(void *mem, uint8_t byte, size_t sz)
    **/
   memset(mem, byte, sz);
 }
-
-/** Log all pending crypto errors at level <b>severity</b>.  Use
- * <b>doing</b> to describe our current activities.
- */
-void
-crypto_log_errors(int severity, const char *doing)
-{
-  unsigned long err;
-  const char *msg, *lib, *func;
-  while ((err = ERR_get_error()) != 0) {
-    msg = (const char*)ERR_reason_error_string(err);
-    lib = (const char*)ERR_lib_error_string(err);
-    func = (const char*)ERR_func_error_string(err);
-    if (!msg) msg = "(null)";
-    if (!lib) lib = "(null)";
-    if (!func) func = "(null)";
-    if (BUG(!doing)) doing = "(null)";
-    tor_log(severity, LD_CRYPTO, "crypto error while %s: %s (in %s:%s)",
-              doing, msg, lib, func);
-  }
-}
-#endif /* !defined(CRYPTO_UTIL_PRIVATE) */
diff --git a/src/lib/crypt_ops/crypto_util.h b/src/lib/crypt_ops/crypto_util.h
index 3ce34e6f23..e032263225 100644
--- a/src/lib/crypt_ops/crypto_util.h
+++ b/src/lib/crypt_ops/crypto_util.h
@@ -18,13 +18,4 @@
 /** OpenSSL-based utility functions. */
 void memwipe(void *mem, uint8_t byte, size_t sz);
 
-/** Log utility function */
-void crypto_log_errors(int severity, const char *doing);
-
-#ifdef CRYPTO_UTIL_PRIVATE
-#ifdef TOR_UNIT_TESTS
-#endif /* defined(TOR_UNIT_TESTS) */
-#endif /* defined(CRYPTO_UTIL_PRIVATE) */
-
 #endif /* !defined(TOR_CRYPTO_UTIL_H) */
-
diff --git a/src/tools/tor-gencert.c b/src/tools/tor-gencert.c
index f87283097e..7e54483b28 100644
--- a/src/tools/tor-gencert.c
+++ b/src/tools/tor-gencert.c
@@ -15,6 +15,7 @@
 
 #include "lib/cc/compat_compiler.h"
 #include "lib/crypt_ops/crypto_init.h"
+#include "lib/crypt_ops/crypto_openssl_mgt.h"
 
 /* Some versions of OpenSSL declare X509_STORE_CTX_set_verify_cb twice in
  * x509.h and x509_vfy.h. Suppress the GCC warning so we can build with
@@ -267,7 +268,7 @@ load_identity_key(void)
                IDENTITY_KEY_BITS);
     if (!(key = generate_key(IDENTITY_KEY_BITS))) {
       log_err(LD_GENERAL, "Couldn't generate identity key.");
-      crypto_log_errors(LOG_ERR, "Generating identity key");
+      crypto_openssl_log_errors(LOG_ERR, "Generating identity key");
       return 1;
     }
     identity_key = EVP_PKEY_new();
@@ -289,7 +290,7 @@ load_identity_key(void)
                                        NULL, NULL)) {
       log_err(LD_GENERAL, "Couldn't write identity key to %s",
               identity_key_file);
-      crypto_log_errors(LOG_ERR, "Writing identity key");
+      crypto_openssl_log_errors(LOG_ERR, "Writing identity key");
       abort_writing_to_file(open_file);
       return 1;
     }
@@ -354,7 +355,7 @@ generate_signing_key(void)
              SIGNING_KEY_BITS);
   if (!(key = generate_key(SIGNING_KEY_BITS))) {
     log_err(LD_GENERAL, "Couldn't generate signing key.");
-    crypto_log_errors(LOG_ERR, "Generating signing key");
+    crypto_openssl_log_errors(LOG_ERR, "Generating signing key");
     return 1;
   }
   signing_key = EVP_PKEY_new();
@@ -370,7 +371,7 @@ generate_signing_key(void)
 
   /* Write signing key with no encryption. */
   if (!PEM_write_RSAPrivateKey(f, key, NULL, NULL, 0, NULL, NULL)) {
-    crypto_log_errors(LOG_WARN, "writing signing key");
+    crypto_openssl_log_errors(LOG_WARN, "writing signing key");
     abort_writing_to_file(open_file);
     return 1;
   }
@@ -394,7 +395,7 @@ key_to_string(EVP_PKEY *key)
 
   b = BIO_new(BIO_s_mem());
   if (!PEM_write_bio_RSAPublicKey(b, rsa)) {
-    crypto_log_errors(LOG_WARN, "writing public key to string");
+    crypto_openssl_log_errors(LOG_WARN, "writing public key to string");
     RSA_free(rsa);
     return NULL;
   }