diff --git a/confluent_server/confluent/util.py b/confluent_server/confluent/util.py
index d74695ff..f1060aec 100644
--- a/confluent_server/confluent/util.py
+++ b/confluent_server/confluent/util.py
@@ -314,7 +314,7 @@ class TLSCertVerifier(object):
                 tasks.spawn(self.cfm.set_node_attributes(
                     {self.node: {self.fieldname: fingerprint}}))
                 return True
-        elif cert_matches(storedprint, certificate):
+        elif cert_matches(storedprint, certificate) and newpolicy != 'ca-only':
             return True
         fingerprint = get_fingerprint(certificate, 'sha256')
         # No pinned certificate match
@@ -328,7 +328,8 @@ class TLSCertVerifier(object):
                         {self.node: {self.fieldname: fingerprint}}))
                     return True
             except Exception:
-                pass
+                if newpolicy == 'ca-only':
+                    raise
         raise cexc.PubkeyInvalid(
             'Mismatched certificate detected', certificate, fingerprint,
             self.fieldname, 'mismatch')