diff --git a/connection_manager.go b/connection_manager.go
index 8e3d948..b675213 100644
--- a/connection_manager.go
+++ b/connection_manager.go
@@ -478,19 +478,19 @@ func (cm *connectionManager) swapPrimary(current, primary *HostInfo) {
 	cm.hostMap.Unlock()
 }
 
-// isInvalidCertificate will check if we should destroy a tunnel if pki.disconnect_invalid is true and
-// the certificate is no longer valid, or if we no longer have a certificate of the same version as the remote.
+// isInvalidCertificate decides if we should destroy a tunnel.
+// returns true if pki.disconnect_invalid is true and the certificate is no longer valid.
 // Blocklisted certificates will skip the pki.disconnect_invalid check and return true.
 func (cm *connectionManager) isInvalidCertificate(now time.Time, hostinfo *HostInfo) bool {
 	remoteCert := hostinfo.GetCert()
 	if remoteCert == nil {
-		return false
+		return false //don't tear down tunnels for handshakes in progress
 	}
 
 	caPool := cm.intf.pki.GetCAPool()
 	err := caPool.VerifyCachedCertificate(now, remoteCert)
 	if err == nil {
-		return false
+		return false //cert is still valid! yay!
 	} else if err == cert.ErrBlockListed { //avoiding errors.Is for speed
 		// Block listed certificates should always be disconnected
 		hostinfo.logger(cm.l).WithError(err).
@@ -502,27 +502,10 @@ func (cm *connectionManager) isInvalidCertificate(now time.Time, hostinfo *HostI
 			WithField("fingerprint", remoteCert.Fingerprint).
 			Info("Remote certificate is no longer valid, tearing down the tunnel")
 		return true
+	} else {
+		//if we reach here, the cert is no longer valid, but we're configured to keep tunnels from now-invalid certs open
+		return false
 	}
-
-	//check that we still have a cert version in common with this connection. If we do not, disconnect.
-	remoteVersion := remoteCert.Certificate.Version()
-	cs := cm.intf.pki.getCertState()
-	out := false
-	switch remoteVersion {
-	case cert.Version1:
-		out = cs.v1Cert == nil
-	case cert.Version2:
-		out = cs.v2Cert == nil
-	default:
-		out = true
-	}
-
-	if out {
-		hostinfo.logger(cm.l).WithField("fingerprint", remoteCert.Fingerprint).
-			WithField("version", remoteVersion).
-			Info("We no longer have a certificate in common with remote, tearing down the tunnel")
-	}
-	return out
 }
 
 func (cm *connectionManager) sendPunch(hostinfo *HostInfo) {