diff --git a/CHANGELOG.md b/CHANGELOG.md
index cdee71470..d19f858a1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ mkdir certs crl newcerts private csrs
 chmod 700 private
 touch index.txt
 echo 1000 > serial
+echo 1000 > crlnumber
 ```
 
 Generate the root key (prompts for pass phrase): 
@@ -26,6 +27,8 @@ exit
 
 Make sure the following options are in place:
 ```
+crl_extensions = crl_ext
+
 [ CA_default ]
 # Where everything is kept
 dir = /home/registry/registry/shared/ca
@@ -71,6 +74,12 @@ openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.
 Sign the request and create certificate:
 ```
 openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem
+chmod 444 certs/webclient.crt.pem
+```
+
+Create certificate revocation list (prompts for pass phrase):
+```
+openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem
 ```
 
 Configure EPP virtual host:
diff --git a/app/api/repp/api.rb b/app/api/repp/api.rb
index ec0b3167f..04b805597 100644
--- a/app/api/repp/api.rb
+++ b/app/api/repp/api.rb
@@ -3,18 +3,8 @@ module Repp
     format :json
     prefix :repp
 
-    before do
-      auth_param = request.headers['Authorization'].split(' ', 2).second
-      username, password = ::Base64.decode64(auth_param || '').split(':', 2)
-
-      # allow user lookup only by username if request came from webclient
-      if request.ip == APP_CONFIG['webclient_ip'] && password.blank?
-        login_params = { username: username }
-      else
-        login_params = { username: username, password: password }
-      end
-
-      @current_user ||= ApiUser.find_by(login_params)
+    http_basic do |username, password|
+      @current_user ||= ApiUser.find_by(username: username, password: password)
     end
 
     helpers do
diff --git a/app/controllers/epp/sessions_controller.rb b/app/controllers/epp/sessions_controller.rb
index 6a4696e49..f12b2e56d 100644
--- a/app/controllers/epp/sessions_controller.rb
+++ b/app/controllers/epp/sessions_controller.rb
@@ -9,10 +9,7 @@ class Epp::SessionsController < EppController
   # rubocop: disable Metrics/CyclomaticComplexity
   def login
     cert_valid = true
-    # Allow login with only username
-    if request.ip == APP_CONFIG['webclient_ip'] && login_params[:password].nil?
-      @api_user = ApiUser.find_by(username: login_params[:username])
-    elsif request.ip == APP_CONFIG['webclient_ip']
+    if request.ip == APP_CONFIG['webclient_ip']
       @api_user = ApiUser.find_by(login_params)
     else
       if request.env['HTTP_SSL_CLIENT_S_DN_CN'] != login_params[:username]