diff --git a/src/connectionmanager.cpp b/src/connectionmanager.cpp
index 1ca85e7ea522f030a90864d316ac8d1a1b15b9f3..baab5af5f579805f52c4e76e7a19385d817c3733 100644
--- a/src/connectionmanager.cpp
+++ b/src/connectionmanager.cpp
@@ -1124,10 +1124,17 @@ ConnectionManager::Impl::onRequestOnNegoDone(const PeerConnectionRequest& req)
         config_->ioContext,
         identity(),
         dhParams(),
-        [ph, w = weak()](const dht::crypto::Certificate& cert) {
+        [ph, deviceId, w=weak(), l=config_->logger](const dht::crypto::Certificate& cert) {
             auto shared = w.lock();
             if (!shared)
                 return false;
+            if (cert.getPublicKey().getId() != ph
+             || deviceId != cert.getPublicKey().getLongId()) {
+                if (l) l->warn("[device {}] TLS certificate with ID {} doesn't match the DHT request.",
+                                        deviceId,
+                                        cert.getPublicKey().getLongId());
+                return false;
+            }
             auto crt = shared->certStore().getCertificate(cert.getLongId().toString());
             if (!crt)
                 return false;