diff --git a/app/controllers/repp/v1/base_controller.rb b/app/controllers/repp/v1/base_controller.rb
index fd360d4d3..393c7264b 100644
--- a/app/controllers/repp/v1/base_controller.rb
+++ b/app/controllers/repp/v1/base_controller.rb
@@ -162,10 +162,7 @@ module Repp
       end
 
       def skip_webclient_user_cert_validation?
-        Rails.env.development? ||
-          Rails.env.test? ||
-          !webclient_request? ||
-          request.headers['Requester'] == 'tara'
+        !webclient_request? || request.headers['Requester'] == 'tara'
       end
 
       def auth_values_to_data(registrar:)
diff --git a/test/integration/repp/v1/base_test.rb b/test/integration/repp/v1/base_test.rb
index ee89efd69..1d51c9a1e 100644
--- a/test/integration/repp/v1/base_test.rb
+++ b/test/integration/repp/v1/base_test.rb
@@ -77,6 +77,43 @@ class ReppV1BaseTest < ActionDispatch::IntegrationTest
     Setting.registrar_ip_whitelist_enabled = false
   end
 
+  def test_validates_webclient_user_certificate_ok
+    cert = certificates(:registrar)
+    @auth_headers.merge!({ 'User-Certificate' => cert.crt, 'User-Certificate-CN' => cert.common_name })
+
+    Repp::V1::BaseController.stub_any_instance(:webclient_request?, true) do
+      Repp::V1::BaseController.stub_any_instance(:validate_webclient_ca, true) do
+        get repp_v1_registrar_auth_index_path, headers: @auth_headers
+      end
+    end
+
+    assert_response :ok
+  end
+
+  def test_validates_webclient_user_certificate_if_missing
+    Repp::V1::BaseController.stub_any_instance(:webclient_request?, true) do
+      Repp::V1::BaseController.stub_any_instance(:validate_webclient_ca, true) do
+        get repp_v1_registrar_auth_index_path, headers: @auth_headers
+      end
+    end
+
+    assert_unauthorized_user_cert
+  end
+
+  def test_validates_webclient_user_certificate_if_revoked
+    cert = certificates(:registrar)
+    cert.update(revoked: true)
+    @auth_headers.merge!({ 'User-Certificate' => cert.crt, 'User-Certificate-CN' => cert.common_name })
+
+    Repp::V1::BaseController.stub_any_instance(:webclient_request?, true) do
+      Repp::V1::BaseController.stub_any_instance(:validate_webclient_ca, true) do
+        get repp_v1_registrar_auth_index_path, headers: @auth_headers
+      end
+    end
+
+    assert_unauthorized_user_cert
+  end
+
   private
 
   def assert_unauthorized_ip
@@ -86,4 +123,12 @@ class ReppV1BaseTest < ActionDispatch::IntegrationTest
     assert_equal 2202, response_json[:code]
     assert response_json[:message].include? 'Access denied from IP'
   end
+
+  def assert_unauthorized_user_cert
+    response_json = JSON.parse(response.body, symbolize_names: true)
+
+    assert_response :unauthorized
+    assert_equal 2202, response_json[:code]
+    assert response_json[:message].include? 'Invalid user certificate'
+  end
 end