diff --git a/app/controllers/epp/sessions_controller.rb b/app/controllers/epp/sessions_controller.rb
index 7651eace5..b6b75fcfd 100644
--- a/app/controllers/epp/sessions_controller.rb
+++ b/app/controllers/epp/sessions_controller.rb
@@ -9,13 +9,12 @@ class Epp::SessionsController < EppController
   # rubocop: disable Metrics/CyclomaticComplexity
   def login
     cert_valid = true
-    if request.ip == ENV['webclient_ip']
-      @api_user = ApiUser.find_by(login_params)
-    else
-      if request.env['HTTP_SSL_CLIENT_S_DN_CN'] != login_params[:username]
+    @api_user = ApiUser.find_by(login_params)
+
+    if request.ip != ENV['webclient_ip'] && @api_user
+      unless @api_user.api_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
         cert_valid = false
       end
-      @api_user = ApiUser.find_by(login_params)
     end
 
     if @api_user.try(:active) && cert_valid && ip_white? && connection_limit_ok?
diff --git a/app/models/api_user.rb b/app/models/api_user.rb
index efc3c5de5..75746d340 100644
--- a/app/models/api_user.rb
+++ b/app/models/api_user.rb
@@ -54,8 +54,13 @@ class ApiUser < User
     certificates.registrar.exists?(md5: md5, common_name: cn)
   end
 
-  def api_pki_ok?(crt)
-    certificates.api.exists?(crt: crt)
+  def api_pki_ok?(crt, cn)
+    crt = crt.split(' ').join("\n")
+    crt.gsub!("-----BEGIN\nCERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n")
+    crt.gsub!("\n-----END\nCERTIFICATE-----", "\n-----END CERTIFICATE-----")
+    cert = OpenSSL::X509::Certificate.new(crt)
+    md5 = OpenSSL::Digest::MD5.new(cert.to_der).to_s
+    certificates.api.exists?(md5: md5, common_name: cn)
   end
 
   class << self