3 files changed, 16 insertions, 5 deletions

diff --git a/include/opertype.h b/include/opertype.h
index 855dc8afb..d9f0f709f 100644
--- a/include/opertype.h
+++ b/include/opertype.h
@@ -23,7 +23,7 @@ struct CoreExport Oper
 	/* Whether the user must be an IRC operator (umode +o) to be considered a services operator */
 	bool require_oper = true;
 	Anope::string password;
-	Anope::string certfp;
+	std::vector<Anope::string> certfp;
 	/* Hosts allowed to use this operator block */
 	std::vector<Anope::string> hosts;
 	Anope::string vhost;
diff --git a/src/config.cpp b/src/config.cpp
index 99720ef2e..eb037c76a 100644
--- a/src/config.cpp
+++ b/src/config.cpp
@@ -319,7 +319,7 @@ Conf::Conf() : Block("")
 		auto *o = new Oper(nname, ot);
 		o->require_oper = require_oper;
 		o->password = password;
-		o->certfp = certfp;
+		spacesepstream(certfp).GetTokens(o->certfp);
 		spacesepstream(host).GetTokens(o->hosts);
 		o->vhost = vhost;
 
diff --git a/src/users.cpp b/src/users.cpp
index 7761cb5c7..075f6c157 100644
--- a/src/users.cpp
+++ b/src/users.cpp
@@ -471,9 +471,20 @@ bool User::IsServicesOper()
 		return false;
 	else if (this->nc->o->require_oper && !this->HasMode("OPER"))
 		return false;
-	else if (!this->nc->o->certfp.empty() && this->fingerprint != this->nc->o->certfp)
-		// Certfp mismatch
-		return false;
+	else if (!this->nc->o->certfp.empty())
+	{
+		bool match = false;
+		for (const auto &certfp : this->nc->o->certfp)
+		{
+			if (this->fingerprint == certfp)
+			{
+				match = true;
+				break;
+			}
+		}
+		if (!match)
+			return false;
+	}
 	else if (!this->nc->o->hosts.empty())
 	{
 		bool match = false;