diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index d358ad003..c023b33c6 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -3347,7 +3347,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags)
     to.verify_hash = options->verify_hash;
     to.verify_hash_algo = options->verify_hash_algo;
     to.verify_hash_depth = options->verify_hash_depth;
-    to.verify_hash_no_ca = options->verify_hash_no_ca;
 #ifdef ENABLE_X509ALTUSERNAME
     memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
 #else
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index e4c596b89..fe9285384 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2991,11 +2991,21 @@ options_postprocess_verify_ce(const struct options *options,
         else
         {
 #ifdef ENABLE_CRYPTO_MBEDTLS
+            if (!(options->ca_file))
+            {
+                msg(M_USAGE, "You must define CA file (--ca)");
+            }
+
             if (options->ca_path)
             {
                 msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN.");
             }
-#endif  /* ifdef ENABLE_CRYPTO_MBEDTLS */
+#else  /* ifdef ENABLE_CRYPTO_MBEDTLS */
+            if ((!(options->ca_file)) && (!(options->ca_path)))
+            {
+                msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
+            }
+#endif
             if (pull)
             {
 
@@ -3727,13 +3737,6 @@ options_postprocess_mutate(struct options *o, struct env_set *es)
         options_postprocess_http_proxy_override(o);
     }
 #endif
-    if (!o->ca_file && !o->ca_path && o->verify_hash
-        && o->verify_hash_depth == 0)
-    {
-        msg(M_INFO, "Using certificate fingerprint to verify peer (no CA "
-            "option set). ");
-        o->verify_hash_no_ca = true;
-    }
 
     if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP)
     {
@@ -4029,11 +4032,8 @@ options_postprocess_filechecks(struct options *options)
     errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE,
                                      options->dh_file, R_OK, "--dh");
 
-    if (!options->verify_hash_no_ca)
-    {
-        errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE,
-                                         options->ca_file, R_OK, "--ca");
-    }
+    errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE,
+                                     options->ca_file, R_OK, "--ca");
 
     errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
                                      options->ca_path, R_OK, "--capath");
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index f5890b90f..95f1158a4 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -604,7 +604,6 @@ struct options
     struct verify_hash_list *verify_hash;
     hash_algo_type verify_hash_algo;
     int verify_hash_depth;
-    bool verify_hash_no_ca;
     unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */
 
 #ifdef ENABLE_PKCS11
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 27b029479..c0b3caa71 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -345,7 +345,6 @@ struct tls_options
     const char *remote_cert_eku;
     struct verify_hash_list *verify_hash;
     int verify_hash_depth;
-    bool verify_hash_no_ca;
     hash_algo_type verify_hash_algo;
 #ifdef ENABLE_X509ALTUSERNAME
     char *x509_username_field[MAX_PARMS];
diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c
index e3437f740..c9ef7a171 100644
--- a/src/openvpn/ssl_verify_mbedtls.c
+++ b/src/openvpn/ssl_verify_mbedtls.c
@@ -62,22 +62,6 @@ verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth,
     struct buffer cert_fingerprint = x509_get_sha256_fingerprint(cert, &gc);
     cert_hash_remember(session, cert_depth, &cert_fingerprint);
 
-    if (session->opt->verify_hash_no_ca)
-    {
-        /*
-         * If we decide to verify the peer certificate based on the fingerprint
-         * we ignore wrong dates and the certificate not being trusted.
-         * Any other problem with the certificate (wrong key, bad cert,...)
-         * will still trigger an error.
-         * Clearing these flags relies on verify_cert will later rejecting a
-         * certificate that has no matching fingerprint.
-         */
-        uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED
-                                | MBEDTLS_X509_BADCERT_EXPIRED
-                                | MBEDTLS_X509_BADCERT_FUTURE;
-        *flags = *flags & ~flags_ignore;
-    }
-
     /* did peer present cert which was signed by our root cert? */
     if (*flags != 0)
     {
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index e24ce4e4a..ac36f09db 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -67,7 +67,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
     cert_hash_remember(session, X509_STORE_CTX_get_error_depth(ctx), &cert_hash);
 
     /* did peer present cert which was signed by our root cert? */
-    if (!preverify_ok && !session->opt->verify_hash_no_ca)
+    if (!preverify_ok)
     {
         /* get the X509 name */
         char *subject = x509_get_subject(current_cert, &gc);