diff --git a/launch.go b/launch.go
index c29595d..01f99bc 100644
--- a/launch.go
+++ b/launch.go
@@ -95,14 +95,12 @@ func launch(config Config, privInfo userInfo) int {
 	}
 	var tlscfg tls.Config
 	tlscfg.Certificates = []tls.Certificate{cert}
+	tlscfg.ClientAuth = tls.RequestClientCert
 	if config.AllowTLS12 {
 		tlscfg.MinVersion = tls.VersionTLS12
 	} else {
 		tlscfg.MinVersion = tls.VersionTLS13
 	}
-	if len(config.CertificateZones) > 0 {
-		tlscfg.ClientAuth = tls.RequestClientCert
-	}
 
 	// Try to chdir to /, so we don't block any mountpoints
 	// But if we can't for some reason it's no big deal