diff --git a/doc/sample.config b/doc/sample.config
index 81faed17..7f326924 100644
--- a/doc/sample.config
+++ b/doc/sample.config
@@ -29,6 +29,7 @@
 #auth = "pam"
 #auth = "pam[gid-min=1000]"
 auth = "plain[./sample.passwd]"
+#auth = "certificate"
 #auth = "radius[/etc/radiusclient/radiusclient.conf,groupconfig]"
 
 # Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of 
@@ -69,7 +70,7 @@ udp-port = 443
 # connections (i.e., without SSL/TLS unlike its TCP counterpart),
 # and uses it as the primary channel. That option cannot be
 # combined with certificate authentication.
-listen-clear-file = /var/run/ocserv-conn.socket
+#listen-clear-file = /var/run/ocserv-conn.socket
 
 # Stats report time. The number of seconds after which each
 # worker process will report its usage statistics (number of
@@ -134,13 +135,13 @@ server-key = ../tests/server-key.pem
 # The Certificate Authority that will be used to verify
 # client certificates (public keys) if certificate authentication
 # is set.
-#ca-cert = /path/to/ca.pem
+ca-cert = ../tests/ca.pem
 
 # The object identifier that will be used to read the user ID in the client 
 # certificate. The object identifier should be part of the certificate's DN
 # Useful OIDs are: 
 #  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
-#cert-user-oid = 0.9.2342.19200300.100.1.1
+cert-user-oid = 0.9.2342.19200300.100.1.1
 
 # The object identifier that will be used to read the user group in the 
 # client  certificate. The object identifier should be part of the certificate's
@@ -370,7 +371,7 @@ no-route = 192.168.5.0/255.255.255.0
 # or the groupname.
 # The options allowed in the configuration files are dns, nbns,
 #  ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route,
-#  net-priority, deny-roaming, no-udp, user-profile, require-cert, and cgroup.
+#  net-priority, deny-roaming, no-udp, user-profile, and cgroup.
 #
 # Note that the 'iroute' option allows to add routes on the server
 # based on a user or group. The syntax depends on the input accepted
diff --git a/src/config.c b/src/config.c
index 0db5dce6..723da54c 100644
--- a/src/config.c
+++ b/src/config.c
@@ -437,7 +437,6 @@ static auth_types_st avail_auth_types[] =
 	{NAME("radius"), &radius_auth_funcs, AUTH_TYPE_RADIUS, radius_get_brackets_string},
 #endif
 	{NAME("plain"), &plain_auth_funcs, AUTH_TYPE_PLAIN, get_brackets_string},
-	{NAME("certificate[optional]"), NULL, AUTH_TYPE_CERTIFICATE_OPT, NULL},
 	{NAME("certificate"), NULL, AUTH_TYPE_CERTIFICATE, NULL},
 };
 
@@ -860,7 +859,7 @@ static void check_cfg(struct cfg_st *config)
 	}
 
 	if (config->auth[0].type & AUTH_TYPE_CERTIFICATE) {
-		if (config->cisco_client_compat == 0 && ((config->auth[0].type & AUTH_TYPE_CERTIFICATE_OPT) != AUTH_TYPE_CERTIFICATE_OPT))
+		if (config->cisco_client_compat == 0)
 			config->cert_req = GNUTLS_CERT_REQUIRE;
 		else
 			config->cert_req = GNUTLS_CERT_REQUEST;
diff --git a/src/ipc.proto b/src/ipc.proto
index bfd118f4..582af828 100644
--- a/src/ipc.proto
+++ b/src/ipc.proto
@@ -235,7 +235,6 @@ message sec_auth_session_reply_msg
 	/* sup - config */
 	optional bool no_udp = 10;
 	optional bool deny_roaming = 11;
-	optional bool require_cert = 12;
 	repeated string routes = 13;
 	repeated string iroutes = 14;
 	repeated string dns = 15;
diff --git a/src/main-auth.c b/src/main-auth.c
index 564766c2..5a6b150d 100644
--- a/src/main-auth.c
+++ b/src/main-auth.c
@@ -263,12 +263,6 @@ struct proc_st *old_proc;
 		mslog(s, proc, LOG_DEBUG, "new cookie session for (%u)", (unsigned)proc->pid);
 	}
 
-	if (proc->config.require_cert != 0 && cmsg->tls_auth_ok == 0) {
-		mslog(s, proc, LOG_ERR,
-		      "certificate is required for user '%s'", proc->username);
-		return -1;
-	}
-
 	if (cmsg->hostname)
 		strlcpy(proc->hostname, cmsg->hostname, sizeof(proc->hostname));
 
diff --git a/src/main-misc.c b/src/main-misc.c
index aeca4ca8..11c0ab9c 100644
--- a/src/main-misc.c
+++ b/src/main-misc.c
@@ -245,9 +245,6 @@ int session_cmd(main_server_st * s, struct proc_st *proc, const uint8_t *cookie,
 		if (msg->has_deny_roaming)
 			proc->config.deny_roaming = msg->deny_roaming;
 
-		if (msg->has_require_cert)
-			proc->config.require_cert = msg->require_cert;
-
 		if (msg->has_ipv6_prefix)
 			proc->config.ipv6_prefix = msg->ipv6_prefix;
 
diff --git a/src/ocserv-args.def b/src/ocserv-args.def
index 489a9641..330fa9fb 100644
--- a/src/ocserv-args.def
+++ b/src/ocserv-args.def
@@ -448,7 +448,7 @@ no-route = 192.168.5.0/255.255.255.0
 # The options allowed in the configuration files are dns, nbns,
 #  ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route,
 #  explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, 
-#  user-profile, require-cert, and cgroup.
+#  user-profile, and cgroup.
 #
 # Note that the 'iroute' option allows to add routes on the server
 # based on a user or group. The syntax depends on the input accepted
diff --git a/src/sec-mod-auth.c b/src/sec-mod-auth.c
index 948be679..40cbb1a4 100644
--- a/src/sec-mod-auth.c
+++ b/src/sec-mod-auth.c
@@ -184,15 +184,10 @@ static int check_user_group_status(sec_mod_st * sec, client_entry_st * e,
 				   unsigned cert_groups_size)
 {
 	unsigned found, i;
-	unsigned need_cert = 1;
 
 
 	if (e->auth_type & AUTH_TYPE_CERTIFICATE) {
-		if ((e->auth_type & AUTH_TYPE_CERTIFICATE_OPT) == AUTH_TYPE_CERTIFICATE_OPT) {
-			need_cert = 0;
-		}
-
-		if (tls_auth_ok == 0 && need_cert != 0) {
+		if (tls_auth_ok == 0) {
 			seclog(sec, LOG_INFO, "user '%s' presented no certificate",
 			       e->username);
 			return -1;
diff --git a/src/sup-config/file.c b/src/sup-config/file.c
index 867cbf72..4c1e65bd 100644
--- a/src/sup-config/file.c
+++ b/src/sup-config/file.c
@@ -44,7 +44,6 @@ struct cfg_options {
 static struct cfg_options available_options[] = {
 	{ .name = "no-udp", .type = OPTION_BOOLEAN },
 	{ .name = "deny-roaming", .type = OPTION_BOOLEAN },
-	{ .name = "require-cert", .type = OPTION_BOOLEAN },
 	{ .name = "route", .type = OPTION_MULTI_LINE },
 	{ .name = "no-route", .type = OPTION_MULTI_LINE },
 	{ .name = "iroute", .type = OPTION_MULTI_LINE },
@@ -183,7 +182,6 @@ unsigned prefix = 0;
 
 	READ_TF("no-udp", msg->no_udp, msg->has_no_udp);
 	READ_TF("deny-roaming", msg->deny_roaming, msg->has_deny_roaming);
-	READ_TF("require-cert", msg->require_cert, msg->has_require_cert);
 
 	READ_RAW_MULTI_LINE("route", msg->routes, msg->n_routes);
 	READ_RAW_MULTI_LINE("no-route", msg->no_routes, msg->n_no_routes);
diff --git a/src/vpn.h b/src/vpn.h
index 2f7d58ee..6a57b452 100644
--- a/src/vpn.h
+++ b/src/vpn.h
@@ -84,7 +84,6 @@ extern int syslog_open;
 #define AUTH_TYPE_PAM (1<<1 | AUTH_TYPE_USERNAME_PASS)
 #define AUTH_TYPE_PLAIN (1<<2 | AUTH_TYPE_USERNAME_PASS)
 #define AUTH_TYPE_CERTIFICATE (1<<3)
-#define AUTH_TYPE_CERTIFICATE_OPT (1<<4|AUTH_TYPE_CERTIFICATE)
 #define AUTH_TYPE_RADIUS (1<<5 | AUTH_TYPE_USERNAME_PASS)
 #define AUTH_TYPE_GSSAPI (1<<6)
 
@@ -180,7 +179,6 @@ struct group_cfg_st {
 	unsigned deny_roaming; /* whether the user is allowed to re-use cookies from another IP */
 	unsigned net_priority;
 	unsigned no_udp; /* whether to disable UDP for this user */
-	unsigned require_cert; /* when optional certificate auth is selected require a certificate */
 };
 
 struct vpn_st {
diff --git a/src/worker-auth.c b/src/worker-auth.c
index 5c287e64..abc4dbd4 100644
--- a/src/worker-auth.c
+++ b/src/worker-auth.c
@@ -812,13 +812,11 @@ int auth_cookie(worker_st * ws, void *cookie, size_t cookie_size)
 
 	if ((ws->selected_auth->type & AUTH_TYPE_CERTIFICATE)
 	    && ws->config->cisco_client_compat == 0) {
-		if (((ws->selected_auth->type & AUTH_TYPE_CERTIFICATE_OPT) != AUTH_TYPE_CERTIFICATE_OPT && ws->cert_auth_ok == 0)) {
+		if (ws->cert_auth_ok == 0) {
 			oclog(ws, LOG_INFO,
 			      "no certificate provided for cookie authentication");
 			return -1;
-		}
-
-		if (ws->cert_auth_ok != 0) {
+		} else {
 			ret = get_cert_info(ws);
 			if (ret < 0) {
 				oclog(ws, LOG_INFO, "cannot obtain certificate info");
@@ -1193,14 +1191,12 @@ int post_auth_handler(worker_st * ws, unsigned http_ver)
 		}
 
 		if (ws->selected_auth->type & AUTH_TYPE_CERTIFICATE) {
-			if ((ws->selected_auth->type & AUTH_TYPE_CERTIFICATE_OPT) != AUTH_TYPE_CERTIFICATE_OPT && ws->cert_auth_ok == 0) {
+			if (ws->cert_auth_ok == 0) {
 				reason = MSG_NO_CERT_ERROR;
 				oclog(ws, LOG_INFO,
 				      "no certificate provided for authentication");
 				goto auth_fail;
-			}
-
-			if (ws->cert_auth_ok != 0) {
+			} else {
 				ret = get_cert_info(ws);
 				if (ret < 0) {
 					reason = MSG_CERT_READ_ERROR;