diff --git a/cmd/csaf_provider/config.go b/cmd/csaf_provider/config.go
index 65e1dce..a5b1bc6 100644
--- a/cmd/csaf_provider/config.go
+++ b/cmd/csaf_provider/config.go
@@ -44,6 +44,7 @@ type config struct {
 	DynamicProviderMetaData bool            `toml:"dynamic_provider_metadata"`
 	Publisher               *csaf.Publisher `toml:"publisher"`
 	UploadLimit             *int64          `toml:"upload_limit"`
+	Issuer                  string          `toml:"issuer"`
 }
 
 type tlp string
diff --git a/cmd/csaf_provider/controller.go b/cmd/csaf_provider/controller.go
index 407bc28..577a166 100644
--- a/cmd/csaf_provider/controller.go
+++ b/cmd/csaf_provider/controller.go
@@ -76,7 +76,7 @@ func (c *controller) auth(
 		log.Printf("SSL_CLIENT_VERIFY: %s\n", verify)
 
 		switch {
-		case verify == "SUCCESS":
+		case verify == "SUCCESS" && os.Getenv("SSL_CLIENT_I_DN") == c.cfg.Issuer:
 			log.Printf("user: %s\n", os.Getenv("SSL_CLIENT_S_DN"))
 			log.Printf("ca: %s\n", os.Getenv("SSL_CLIENT_I_DN"))
 		case c.cfg.Password == nil: