diff --git a/CHANGELOG.md b/CHANGELOG.md
index 79f0cc390..a7ac4eee8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,7 +4,7 @@ Go to registry shared folder and setup CA directory tree:
 ```
 mkdir ca
 cd ca
-mkdir certs crl newcerts private
+mkdir certs crl newcerts private csrs
 chmod 700 private
 touch index.txt
 echo 1000 > serial
@@ -45,12 +45,13 @@ authorityKeyIdentifier=keyid:always,issuer
 basicConstraints = CA:true
 keyUsage = cRLSign, keyCertSign
 
+# For the CA policy
 [ policy_match ]
 countryName             = optional
 stateOrProvinceName     = optional
 organizationName        = optional
 organizationalUnitName  = optional
-commonName              = optional
+commonName              = supplied
 emailAddress            = optional
 ```
 
@@ -60,6 +61,18 @@ openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3
 chmod 444 certs/ca.cert.pem
 ```
 
+Create a CSR for the webclient:
+```
+openssl genrsa -out private/webclient.key.pem 4096
+chmod 400 private/webclient.key.pem
+openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem
+```
+
+Sign the request and create certificate:
+```
+openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.cert.pem
+```
+
 Configure EPP virtual host:
 ```
 sudo nano /etc/apache2/sites-enabled/epp.conf
@@ -75,10 +88,30 @@ With these lines:
   SSLVerifyClient require
   SSLVerifyDepth 1
   SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem
+  RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
+```
+
+Configure webclient virtual host:
+```
+  SSLVerifyClient none
+  SSLVerifyDepth 1
+  SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem
+
+  RequestHeader set SSL_CLIENT_S_DN_CN ""
+
+  <Location /login/pki>
+    SSLVerifyClient require
+  </Location>
+
+  <Location /sessions>
+    SSLVerifyClient require
+    RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
+  </Location> 
 ```
 
 Reload apache:
 ```
+sudo a2enmod headers
 sudo /etc/init.d/apache2 reload
 ```
 
diff --git a/app/controllers/epp/sessions_controller.rb b/app/controllers/epp/sessions_controller.rb
index 4d7e2481b..53ac68421 100644
--- a/app/controllers/epp/sessions_controller.rb
+++ b/app/controllers/epp/sessions_controller.rb
@@ -3,15 +3,23 @@ class Epp::SessionsController < EppController
     render_epp_response('greeting')
   end
 
+  # rubocop: disable Metrics/PerceivedComplexity
+  # rubocop: disable Metrics/CyclomaticComplexity
   def login
+    cert_valid = true
     # Allow login with only username
     if request.ip == APP_CONFIG['webclient_ip'] && login_params[:password].nil?
       @api_user = ApiUser.find_by(username: login_params[:username])
+    elsif request.ip == APP_CONFIG['webclient_ip']
+      @api_user = ApiUser.find_by(login_params)
     else
+      if request.env['HTTP_SSL_CLIENT_S_DN_CN'] != login_params[:username]
+        cert_valid = false
+      end
       @api_user = ApiUser.find_by(login_params)
     end
 
-    if @api_user.try(:active)
+    if @api_user.try(:active) && cert_valid
       epp_session[:api_user_id] = @api_user.id
       render_epp_response('login_success')
     else
@@ -19,6 +27,8 @@ class Epp::SessionsController < EppController
       render_epp_response('login_fail')
     end
   end
+  # rubocop: enable Metrics/PerceivedComplexity
+  # rubocop: enable Metrics/CyclomaticComplexity
 
   def logout
     @api_user = current_user # cache current_user for logging