diff --git a/app/controllers/epp/sessions_controller.rb b/app/controllers/epp/sessions_controller.rb
index fe241d94e..f64715d52 100644
--- a/app/controllers/epp/sessions_controller.rb
+++ b/app/controllers/epp/sessions_controller.rb
@@ -13,6 +13,15 @@ class Epp::SessionsController < EppController
     success = true
     @api_user = ApiUser.find_by(login_params)
 
+    if request.ip == ENV['webclient_ip'] && !Rails.env.test?
+      client_md5 = Certificate.parse_md_from_string(request.env['HTTP_SSL_CLIENT_CERT'])
+      server_md5 = Certificate.parse_md_from_string(File.read(ENV['cert_path']))
+      if client_md5 != server_md5
+        @msg = 'Authentication error; server closing connection (certificate is not valid)'
+        success = false
+      end
+    end
+
     if request.ip != ENV['webclient_ip'] && @api_user
       unless @api_user.api_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
         @msg = 'Authentication error; server closing connection (certificate is not valid)'
diff --git a/app/models/certificate.rb b/app/models/certificate.rb
index c1a7d3019..ecf58f77a 100644
--- a/app/models/certificate.rb
+++ b/app/models/certificate.rb
@@ -200,5 +200,14 @@ class Certificate < ActiveRecord::Base
       _out, _err, _st = Open3.capture3("sudo /etc/init.d/apache2 reload")
       STDOUT << "#{Time.zone.now.utc} - Apache reloaded\n"
     end
+
+    def parse_md_from_string(crt)
+      return nil if crt.blank?
+      crt = crt.split(' ').join("\n")
+      crt.gsub!("-----BEGIN\nCERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n")
+      crt.gsub!("\n-----END\nCERTIFICATE-----", "\n-----END CERTIFICATE-----")
+      cert = OpenSSL::X509::Certificate.new(crt)
+      OpenSSL::Digest::MD5.new(cert.to_der).to_s
+    end
   end
 end