diff --git a/app/models/certificate.rb b/app/models/certificate.rb
index f0711d4f5..940c5fdc8 100644
--- a/app/models/certificate.rb
+++ b/app/models/certificate.rb
@@ -32,20 +32,21 @@ class Certificate < ApplicationRecord
       errors.add(:base, I18n.t(:invalid_csr_or_crt))
   end
 
-  before_create :parse_metadata
-  def parse_metadata
-    if crt
-      pc = parsed_crt.try(:subject).try(:to_s) || ''
-      cn = pc.scan(/\/CN=(.+)/).flatten.first
-      self.common_name = cn.split('/').first
-      self.md5 = OpenSSL::Digest::MD5.new(parsed_crt.to_der).to_s
-      self.interface = API
-    elsif csr
-      pc = parsed_csr.try(:subject).try(:to_s) || ''
-      cn = pc.scan(/\/CN=(.+)/).flatten.first
-      self.common_name = cn.split('/').first
-      self.interface = REGISTRAR
-    end
+  validate :assign_metadata
+
+  def assign_metadata
+    origin = crt ? parsed_crt : parsed_csr
+    parse_metadata(origin)
+  rescue NoMethodError
+    errors.add(:base, I18n.t(:invalid_csr_or_crt))
+  end
+
+  def parse_metadata(origin)
+    pc = origin.subject.to_s
+    cn = pc.scan(%r{\/CN=(.+)}).flatten.first
+    self.common_name = cn.split('/').first
+    self.md5 = OpenSSL::Digest::MD5.new(origin.to_der).to_s if crt
+    self.interface = crt ? API : REGISTRAR
   end
 
   def parsed_crt
diff --git a/test/fixtures/certificates.yml b/test/fixtures/certificates.yml
index c91df3ace..4799743ff 100644
--- a/test/fixtures/certificates.yml
+++ b/test/fixtures/certificates.yml
@@ -1,7 +1,14 @@
-one:
+api:
   api_user: api_bestnames
   common_name: registry.test
   crt: "-----BEGIN CERTIFICATE-----\nMIICYjCCAcugAwIBAgIBADANBgkqhkiG9w0BAQ0FADBNMQswCQYDVQQGEwJ1czEO\nMAwGA1UECAwFVGV4YXMxFjAUBgNVBAoMDVJlZ2lzdHJ5IHRlc3QxFjAUBgNVBAMM\nDXJlZ2lzdHJ5LnRlc3QwIBcNMjAwNTA1MTIzNzQxWhgPMjEyMDA0MTExMjM3NDFa\nME0xCzAJBgNVBAYTAnVzMQ4wDAYDVQQIDAVUZXhhczEWMBQGA1UECgwNUmVnaXN0\ncnkgdGVzdDEWMBQGA1UEAwwNcmVnaXN0cnkudGVzdDCBnzANBgkqhkiG9w0BAQEF\nAAOBjQAwgYkCgYEAyn+GCkUJIhdXVBOPrZH+Zj2B/tQfL5TLZwVYZQt38x6GQT+4\n6ndty467IJvKSUlHej7uMpsCzC8Ffmda4cZm16jO1vUb4hXIrmeKP84zLrrUpKag\ngZR4rBDbG2+uL4SzMyy3yeQysYuTiQ4N1i4vdhvkKYPSWIht/QFvuzdFq+0CAwEA\nAaNQME4wHQYDVR0OBBYEFD6B5j6NnMCDBnfbtjBYKBJM7sCRMB8GA1UdIwQYMBaA\nFD6B5j6NnMCDBnfbtjBYKBJM7sCRMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEN\nBQADgYEArtCR6VOabD3nM/KlZTmHMZVT4ntenYlNTM9FS0RatzPmdh4REhykvmZs\nOlBcpoV5tN5Y8bHOVRqY9V2e903QEhQgoccQhbt0Py6uFwfLv+WLKAUbeGnPqK9d\ndL3wXN9BQs0hJA6IZNFyz2F/gSTURrD1zWW2na3ipRzhupW5+98=\n-----END CERTIFICATE-----\n"
   md5: e6771ed5dc857a1dbcc1e0a36baa1fee
   interface: api
   revoked: false
+registrar:
+  api_user: api_bestnames
+  common_name: registry.test
+  crt: "-----BEGIN CERTIFICATE-----\nMIICYjCCAcugAwIBAgIBADANBgkqhkiG9w0BAQ0FADBNMQswCQYDVQQGEwJ1czEO\nMAwGA1UECAwFVGV4YXMxFjAUBgNVBAoMDVJlZ2lzdHJ5IHRlc3QxFjAUBgNVBAMM\nDXJlZ2lzdHJ5LnRlc3QwIBcNMjAwNTA1MTIzNzQxWhgPMjEyMDA0MTExMjM3NDFa\nME0xCzAJBgNVBAYTAnVzMQ4wDAYDVQQIDAVUZXhhczEWMBQGA1UECgwNUmVnaXN0\ncnkgdGVzdDEWMBQGA1UEAwwNcmVnaXN0cnkudGVzdDCBnzANBgkqhkiG9w0BAQEF\nAAOBjQAwgYkCgYEAyn+GCkUJIhdXVBOPrZH+Zj2B/tQfL5TLZwVYZQt38x6GQT+4\n6ndty467IJvKSUlHej7uMpsCzC8Ffmda4cZm16jO1vUb4hXIrmeKP84zLrrUpKag\ngZR4rBDbG2+uL4SzMyy3yeQysYuTiQ4N1i4vdhvkKYPSWIht/QFvuzdFq+0CAwEA\nAaNQME4wHQYDVR0OBBYEFD6B5j6NnMCDBnfbtjBYKBJM7sCRMB8GA1UdIwQYMBaA\nFD6B5j6NnMCDBnfbtjBYKBJM7sCRMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEN\nBQADgYEArtCR6VOabD3nM/KlZTmHMZVT4ntenYlNTM9FS0RatzPmdh4REhykvmZs\nOlBcpoV5tN5Y8bHOVRqY9V2e903QEhQgoccQhbt0Py6uFwfLv+WLKAUbeGnPqK9d\ndL3wXN9BQs0hJA6IZNFyz2F/gSTURrD1zWW2na3ipRzhupW5+98=\n-----END CERTIFICATE-----\n"
+  md5: e6771ed5dc857a1dbcc1e0a36baa1fee
+  interface: registrar
+  revoked: false
diff --git a/test/models/api_user_test.rb b/test/models/api_user_test.rb
index dd907f75c..ecbff5cbb 100644
--- a/test/models/api_user_test.rb
+++ b/test/models/api_user_test.rb
@@ -64,18 +64,22 @@ class ApiUserTest < ActiveSupport::TestCase
   end
 
   def test_verifies_pki_status
-    certificate = certificates(:one)
+    certificate = certificates(:api)
 
     assert @user.pki_ok?(certificate.crt, certificate.common_name, api: true)
     assert_not @user.pki_ok?(certificate.crt, 'invalid-cn', api: true)
 
-    certificate.update(interface: 'registrar')
+    certificate = certificates(:registrar)
 
     assert @user.pki_ok?(certificate.crt, certificate.common_name, api: false)
     assert_not @user.pki_ok?(certificate.crt, 'invalid-cn', api: false)
 
     certificate.update(revoked: true)
     assert_not @user.pki_ok?(certificate.crt, certificate.common_name, api: false)
+
+    certificate = certificates(:api)
+    certificate.update(revoked: true)
+    assert_not @user.pki_ok?(certificate.crt, certificate.common_name, api: true)
   end
 
   private