diff --git a/app/controllers/admin/api_users_controller.rb b/app/controllers/admin/api_users_controller.rb
index e257269df..54105e87e 100644
--- a/app/controllers/admin/api_users_controller.rb
+++ b/app/controllers/admin/api_users_controller.rb
@@ -12,7 +12,10 @@ class Admin::ApiUsersController < AdminController
   end
 
   def create
-    @api_user = ApiUser.new(api_user_params)
+    app = api_user_params
+    app[:csr] = params[:api_user][:csr].open.read if params[:api_user][:csr]
+
+    @api_user = ApiUser.new(app)
 
     if @api_user.save
       flash[:notice] = I18n.t('record_created')
diff --git a/app/controllers/epp/contacts_controller.rb b/app/controllers/epp/contacts_controller.rb
index 1a3f374c7..35be64ef0 100644
--- a/app/controllers/epp/contacts_controller.rb
+++ b/app/controllers/epp/contacts_controller.rb
@@ -70,7 +70,7 @@ class Epp::ContactsController < EppController
   end
 
   ## UPDATE
-  def validate_update
+  def validate_updatezz
     @ph = params_hash['epp']['command']['update']['update']
     update_attrs_present?
     # xml_attrs_present?(@ph, [['id'], %w(authInfo pw)])
diff --git a/app/models/api_user.rb b/app/models/api_user.rb
index 4f2491bfc..d1582204e 100644
--- a/app/models/api_user.rb
+++ b/app/models/api_user.rb
@@ -25,35 +25,18 @@ class ApiUser < ActiveRecord::Base
   end
 
   def create_crt
-    request = OpenSSL::X509::Request.new(csr)
-    fail 'CSR can not be verified' unless request.verify request.public_key
-    ca_cert = OpenSSL::X509::Certificate.new(File.read(APP_CONFIG['ca_cert_path']))
-    ca_key = OpenSSL::PKey::RSA.new(File.read(APP_CONFIG['ca_key_path']), APP_CONFIG['ca_key_password'])
+    csr_file = Tempfile.new('client_csr')
+    csr_file.write(csr)
+    csr_file.rewind
 
-    csr_cert = OpenSSL::X509::Certificate.new
-    csr_cert.serial = 0
-    csr_cert.version = 2
-    csr_cert.not_before = Time.now
-    csr_cert.not_after = Time.now + 600
+    crt_file = Tempfile.new('client_crt')
 
-    csr_cert.subject = request.subject
-    csr_cert.public_key = request.public_key
-    csr_cert.issuer = ca_cert.subject
+    `openssl ca -keyfile #{APP_CONFIG['ca_key_path']} -cert #{APP_CONFIG['ca_cert_path']} \
+    -extensions usr_cert -notext -md sha256 \
+    -in #{csr_file.path} -out #{crt_file.path} -key '#{APP_CONFIG['ca_key_password']}' -batch`
 
-    extension_factory = OpenSSL::X509::ExtensionFactory.new
-    extension_factory.subject_certificate = csr_cert
-    extension_factory.issuer_certificate = ca_cert
-
-    csr_cert.add_extension extension_factory.create_extension('basicConstraints', 'CA:FALSE')
-
-    csr_cert.add_extension extension_factory.create_extension(
-        'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature')
-
-    csr_cert.add_extension extension_factory.create_extension('subjectKeyIdentifier', 'hash')
-
-    csr_cert.sign ca_key, OpenSSL::Digest::SHA1.new
-
-    self.crt = csr_cert.to_pem
+    crt_file.rewind
+    self.crt = crt_file.read
   end
 end
 # rubocop: enable Metrics/ClassLength