diff --git a/changelog.md b/changelog.md
index d6428b8..89eab8d 100644
--- a/changelog.md
+++ b/changelog.md
@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## Unreleased
 ### Changed
 - improve formatting and german translation of login page
+- enforce selection of an email address for multi-address client certificates
 
 ## [0.2.0] - 2023-07-29
 ### Added
diff --git a/internal/services/i18n.go b/internal/services/i18n.go
index f6427d2..32ccc23 100644
--- a/internal/services/i18n.go
+++ b/internal/services/i18n.go
@@ -121,6 +121,10 @@ func AddMessages(catalog *MessageCatalog) error {
 		ID:    "HintChooseAnIdentityForAuthentication",
 		Other: "Choose an identity for authentication.",
 	}
+	messages["NoEmailAddressSelected"] = &i18n.Message{
+		ID:    "NoEmailAddressSelected",
+		Other: "You did not select an email address. Please select an email address to continue.",
+	}
 	messages["NoEmailsInClientCertificateTitle"] = &i18n.Message{
 		ID:    "NoEmailsInClientCertificateTitle",
 		Other: "No email addresses in client certificate",
diff --git a/translations/active.de.toml b/translations/active.de.toml
index 08c3ad8..6de7d8c 100644
--- a/translations/active.de.toml
+++ b/translations/active.de.toml
@@ -85,6 +85,10 @@ other = "In Deinem Anmelde-Request fehlt der notwendige `login_challenge`-Parame
 hash = "sha1-b039c647fea0e42bcb0c877c58da499d082f5319"
 other = "Kein Challenge-Parameter im Anmelde-Request"
 
+[NoEmailAddressSelected]
+hash = "sha1-09fdefe67eae9915e32b18c50baf985d5bd27d36"
+other = "Du hast keine E-Mail-Adresse ausgewählt. Bitte wähle eine E-Mail-Adresse, um die Anmeldung fortzusetzen."
+
 [NoEmailsInClientCertificateExplanation]
 hash = "sha1-ab76bd1bed709ebb19a1b9e48c611271551f3343"
 other = "Das genutzte Client-Zertifikate enthielt keine E-Mail-Adressen.\nEine E-Mail-Adresse ist erforderlich, um dich anzumelden."
diff --git a/translations/active.en.toml b/translations/active.en.toml
index 4902f65..38fd2c2 100644
--- a/translations/active.en.toml
+++ b/translations/active.en.toml
@@ -16,6 +16,7 @@ LogoutSuccessfulText = "You have been logged out successfully."
 LogoutSuccessfulTitle = "Logout successful"
 NoChallengeInRequestExplanation = "Your authentication request did not contain the necessary `login_challenge` parameter. You can find more information about this parameter in [the ORY Hydra documentation](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow)."
 NoChallengeInRequestTitle = "No challenge parameter in your authentication request"
+NoEmailAddressSelected = "You did not select an email address. Please select an email address to continue."
 NoEmailsInClientCertificateExplanation = "The presented client certificate does not contain any email address value.\nAn email address is required to authenticate yourself."
 NoEmailsInClientCertificateTitle = "No email addresses in client certificate"
 Scope-email-Description = "Access your email address."
diff --git a/ui/templates/client_certificate.gohtml b/ui/templates/client_certificate.gohtml
index 0f12330..9e45da6 100644
--- a/ui/templates/client_certificate.gohtml
+++ b/ui/templates/client_certificate.gohtml
@@ -4,6 +4,11 @@
         <h1 class="h3 mb-3">{{ .Title }}</h1>
         <p class="text-left">{{ .IntroText }}</p>
         <p class="text-left">{{ .EmailChoiceText }}</p>
+        {{ with .FlashMessage }}
+            <div class="alert alert-{{ .Type }}" role="alert">
+                {{ .Message }}
+            </div>
+        {{ end }}
         <div class="mb-3">
             {{ if eq (len .emails) 1 }}
                 {{ $email_address := index .emails 0 }}