diff --git a/config.go b/config.go
index efef53e..d089ffc 100644
--- a/config.go
+++ b/config.go
@@ -20,7 +20,7 @@ type Config struct {
 	MimeOverrides    map[string]string
 	CGIPaths         []string
 	SCGIPaths        map[string]string
-	CertificateZones map[string]string
+	CertificateZones map[string][]string
 	DirectorySort    string
 	DirectoryReverse bool
 	DirectoryTitles  bool
diff --git a/handler.go b/handler.go
index 6755c3f..c4cc0b8 100644
--- a/handler.go
+++ b/handler.go
@@ -94,16 +94,18 @@ func handleGeminiRequest(conn net.Conn, config Config, logEntries chan LogEntry)
 
 	// Check whether this URL is in a certificate zone
 	authorised := true
-	for zone, allowed_fingerprint := range config.CertificateZones {
+	for zone, allowedFingerprints := range config.CertificateZones {
 		matched, err := regexp.Match(zone, []byte(URL.Path))
 		if !matched || err != nil {
 			continue
 		}
 		authorised = false
-		for _, cert := range clientCerts {
-			if getCertFingerprint(cert) == allowed_fingerprint {
-				authorised = true
-				break
+		for _, clientCert := range clientCerts {
+			for _, allowedFingerprint := range allowedFingerprints {
+					if getCertFingerprint(clientCert) == allowedFingerprint {
+						authorised = true
+						break
+					}
 			}
 		}
 	}