diff --git a/app/controllers/registrar/sessions_controller.rb b/app/controllers/registrar/sessions_controller.rb
index 37bda3d41..02f1e5c4c 100644
--- a/app/controllers/registrar/sessions_controller.rb
+++ b/app/controllers/registrar/sessions_controller.rb
@@ -44,9 +44,7 @@ class Registrar::SessionsController < Devise::SessionsController
     end
 
     if @depp_user.pki
-      logger.error Digest::MD5.hexdigest(request.env['HTTP_SSL_CLIENT_CERT'])
-      logger.error @api_user.certificates.registrar.pluck(:md5)
-      unless @api_user.registrar_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'])
+      unless @api_user.registrar_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
         @depp_user.errors.add(:base, :invalid_cert)
       end
     end
diff --git a/app/models/api_user.rb b/app/models/api_user.rb
index 7b416ba8d..cf8dc5923 100644
--- a/app/models/api_user.rb
+++ b/app/models/api_user.rb
@@ -45,8 +45,12 @@ class ApiUser < User
     registrar.messages.queued
   end
 
-  def registrar_pki_ok?(crt)
-    certificates.registrar.exists?(crt: crt)
+  def registrar_pki_ok?(crt, cn)
+    cert = OpenSSL::X509::Certificate.new(crt)
+    md5 = OpenSSL::Digest::MD5.new(cert.to_der).to_s
+    logger.error(md5)
+    logger.error(cn)
+    certificates.registrar.exists?(md5: md5, cn: cn)
   end
 
   def api_pki_ok?(crt)
diff --git a/app/models/certificate.rb b/app/models/certificate.rb
index 8f0255210..b354f87f2 100644
--- a/app/models/certificate.rb
+++ b/app/models/certificate.rb
@@ -38,13 +38,12 @@ class Certificate < ActiveRecord::Base
       pc = parsed_crt.try(:subject).try(:to_s) || ''
       cn = pc.scan(/\/CN=(.+)/).flatten.first
       self.common_name = cn.split('/').first
-      self.md5 = Digest::MD5.hexdigest(crt)
+      self.md5 = OpenSSL::Digest::MD5.new(parsed_crt.to_der).to_s
       self.interface = API
     elsif csr
       pc = parsed_csr.try(:subject).try(:to_s) || ''
       cn = pc.scan(/\/CN=(.+)/).flatten.first
       self.common_name = cn.split('/').first
-      self.md5 = Digest::MD5.hexdigest(csr)
       self.interface = REGISTRAR
     end
   end
@@ -91,6 +90,7 @@ class Certificate < ActiveRecord::Base
     if err.match(/Data Base Updated/)
       crt_file.rewind
       self.crt = crt_file.read
+      self.md5 = OpenSSL::Digest::MD5.new(parsed_crt.to_der).to_s
       save!
     else
       logger.error('FAILED TO CREATE CLIENT CERTIFICATE')