diff --git a/node/src/main/kotlin/net/corda/node/internal/AbstractNode.kt b/node/src/main/kotlin/net/corda/node/internal/AbstractNode.kt
index a01f3b4045..2e754c518c 100644
--- a/node/src/main/kotlin/net/corda/node/internal/AbstractNode.kt
+++ b/node/src/main/kotlin/net/corda/node/internal/AbstractNode.kt
@@ -165,12 +165,7 @@ abstract class AbstractNode(open val configuration: NodeConfiguration,
             log.warn("Corda node is running in dev mode.")
             configuration.configureWithDevSSLCertificate()
         }
-        require(hasSSLCertificates()) {
-            "Identity certificate not found. " +
-                    "Please either copy your existing identity key and certificate from another node, " +
-                    "or if you don't have one yet, fill out the config file and run corda.jar --initial-registration. " +
-                    "Read more at: https://docs.corda.net/permissioning.html"
-        }
+        validateKeystore()
 
         log.info("Node starting up ...")
 
@@ -520,19 +515,30 @@ abstract class AbstractNode(open val configuration: NodeConfiguration,
     @VisibleForTesting
     protected open fun acceptableLiveFiberCountOnStop(): Int = 0
 
-    private fun hasSSLCertificates(): Boolean {
-        val (sslKeystore, keystore) = try {
+    private fun validateKeystore() {
+        val containCorrectKeys = try {
             // This will throw IOException if key file not found or KeyStoreException if keystore password is incorrect.
-            Pair(
-                    KeyStoreUtilities.loadKeyStore(configuration.sslKeystore, configuration.keyStorePassword),
-                    KeyStoreUtilities.loadKeyStore(configuration.nodeKeystore, configuration.keyStorePassword))
-        } catch (e: IOException) {
-            return false
+            val sslKeystore = KeyStoreUtilities.loadKeyStore(configuration.sslKeystore, configuration.keyStorePassword)
+            val identitiesKeystore = KeyStoreUtilities.loadKeyStore(configuration.nodeKeystore, configuration.keyStorePassword)
+            sslKeystore.containsAlias(X509Utilities.CORDA_CLIENT_TLS) && identitiesKeystore.containsAlias(X509Utilities.CORDA_CLIENT_CA)
         } catch (e: KeyStoreException) {
             log.warn("Certificate key store found but key store password does not match configuration.")
-            return false
+            false
+        } catch (e: IOException) {
+            false
+        }
+        require(containCorrectKeys) {
+            "Identity certificate not found. " +
+                    "Please either copy your existing identity key and certificate from another node, " +
+                    "or if you don't have one yet, fill out the config file and run corda.jar --initial-registration. " +
+                    "Read more at: https://docs.corda.net/permissioning.html"
+        }
+        val identitiesKeystore = KeyStoreUtilities.loadKeyStore(configuration.sslKeystore, configuration.keyStorePassword)
+        val tlsIdentity = identitiesKeystore.getX509Certificate(X509Utilities.CORDA_CLIENT_TLS).subject
+
+        require(tlsIdentity == configuration.myLegalName) {
+            "Expected '${configuration.myLegalName}' but got '$tlsIdentity' from the keystore."
         }
-        return sslKeystore.containsAlias(X509Utilities.CORDA_CLIENT_TLS) && keystore.containsAlias(X509Utilities.CORDA_CLIENT_CA)
     }
 
     // Specific class so that MockNode can catch it.