diff --git a/includes/account.php b/includes/account.php
index 3b2c36e..88fede5 100644
--- a/includes/account.php
+++ b/includes/account.php
@@ -313,6 +313,16 @@
 			$fp = fopen($CSRname, "w");
 			fputs($fp, $emails);
 			fclose($fp);
+			$challenge=$_SESSION['spkac_hash'];
+                        $res=`openssl spkac -verify -in $CSRname`;
+                        if(!strstr($res,"Challenge String: ".$challenge))
+                        {
+                                $id = $oldid;
+                                showheader(_("My CAcert.org Account!"));
+                                echo _("The challenge-response code of your certificate request did not match. Can't continue with certificaterequest.");
+                                showfooter();
+                                exit;
+                        }
 			mysql_query("update `emailcerts` set `csr_name`='$CSRname' where `id`='".intval($emailid)."'");
 		} else if($_REQUEST['keytype'] == "MS" || $_REQUEST['keytype'] == "VI") {
 			if($csr == "")
@@ -1361,6 +1371,16 @@
 			$fp = fopen($CSRname, "w");
 			fputs($fp, $emails);
 			fclose($fp);
+			$challenge=$_SESSION['spkac_hash'];
+                        $res=`openssl spkac -verify -in $CSRname`;
+                        if(!strstr($res,"Challenge String: ".$challenge))
+                        {
+                                $id = $oldid;
+                                showheader(_("My CAcert.org Account!"));
+                                echo _("The challenge-response code of your certificate request did not match. Can't continue with certificaterequest.");
+                                showfooter();
+                                exit;
+                        }
 			mysql_query("update `orgemailcerts` set `csr_name`='$CSRname' where `id`='$emailid'");
 		} else if($_REQUEST['keytype'] == "MS" || $_REQUEST['keytype']=="VI") {
 			$csr = "-----BEGIN CERTIFICATE REQUEST-----\n".clean_csr($_REQUEST['CSR'])."-----END CERTIFICATE REQUEST-----\n";