diff --git a/core/src/main/java/google/registry/flows/TlsCredentials.java b/core/src/main/java/google/registry/flows/TlsCredentials.java
index 8fde8bd0b..48f64bdff 100644
--- a/core/src/main/java/google/registry/flows/TlsCredentials.java
+++ b/core/src/main/java/google/registry/flows/TlsCredentials.java
@@ -289,7 +289,7 @@ public class TlsCredentials implements TransportCredentials {
     static Optional<String> provideClientCertificate(HttpServletRequest req) {
       // Note: This header is actually required, we just want to handle its absence explicitly
       // by throwing an EPP exception rather than a generic Bad Request exception.
-      return extractOptionalHeader(req, "X-SSL-Full_Certificate");
+      return extractOptionalHeader(req, "X-SSL-Full-Certificate");
     }
 
     @Provides
diff --git a/core/src/test/java/google/registry/flows/TlsCredentialsTest.java b/core/src/test/java/google/registry/flows/TlsCredentialsTest.java
index d3e77838a..e0d480f20 100644
--- a/core/src/test/java/google/registry/flows/TlsCredentialsTest.java
+++ b/core/src/test/java/google/registry/flows/TlsCredentialsTest.java
@@ -118,10 +118,11 @@ final class TlsCredentialsTest {
     tls.validateCertificate(Registrar.loadByClientId("TheRegistrar").get());
   }
 
+  @Test
   void testProvideClientCertificate() {
     HttpServletRequest req = mock(HttpServletRequest.class);
     when(req.getHeader("X-SSL-Full-Certificate")).thenReturn("data");
-    assertThat(TlsCredentials.EppTlsModule.provideClientCertificate(req)).isEqualTo("data");
+    assertThat(TlsCredentials.EppTlsModule.provideClientCertificate(req)).hasValue("data");
   }
 
   @Test