diff --git a/irc/config.go b/irc/config.go
index 09e01f8e..e00a9bac 100644
--- a/irc/config.go
+++ b/irc/config.go
@@ -207,12 +207,12 @@ type OperClassConfig struct {
 
 // OperConfig defines a specific operator's configuration.
 type OperConfig struct {
-	Class     string
-	Vhost     string
-	WhoisLine string `yaml:"whois-line"`
-	Password  string
-	Certfp    string
-	Modes     string
+	Class       string
+	Vhost       string
+	WhoisLine   string `yaml:"whois-line"`
+	Password    string
+	Fingerprint string
+	Modes       string
 }
 
 // LineLenConfig controls line lengths.
@@ -455,13 +455,13 @@ func (conf *Config) OperatorClasses() (map[string]*OperClass, error) {
 
 // Oper represents a single assembled operator's config.
 type Oper struct {
-	Name      string
-	Class     *OperClass
-	WhoisLine string
-	Vhost     string
-	Pass      []byte
-	Certfp    string
-	Modes     []modes.ModeChange
+	Name        string
+	Class       *OperClass
+	WhoisLine   string
+	Vhost       string
+	Pass        []byte
+	Fingerprint string
+	Modes       []modes.ModeChange
 }
 
 // Operators returns a map of operator configs from the given OperClass and config.
@@ -481,7 +481,7 @@ func (conf *Config) Operators(oc map[string]*OperClass) (map[string]*Oper, error
 		if err != nil {
 			return nil, err
 		}
-		oper.Certfp = opConf.Certfp
+		oper.Fingerprint = opConf.Fingerprint
 
 		oper.Vhost = opConf.Vhost
 		class, exists := oc[opConf.Class]
diff --git a/irc/handlers.go b/irc/handlers.go
index 74381015..62f509a2 100644
--- a/irc/handlers.go
+++ b/irc/handlers.go
@@ -2180,7 +2180,7 @@ func operHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *Resp
 	authorized := false
 	oper := server.GetOperator(msg.Params[0])
 	if oper != nil {
-		if utils.CertfpsMatch(oper.Certfp, client.certfp) {
+		if utils.CertfpsMatch(oper.Fingerprint, client.certfp) {
 			authorized = true
 		} else if 1 < len(msg.Params) {
 			password := []byte(msg.Params[1])
@@ -2645,7 +2645,7 @@ func webircHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *Re
 			if 0 < len(info.Password) && bcrypt.CompareHashAndPassword(info.Password, givenPassword) != nil {
 				continue
 			}
-			if 0 < len(info.Fingerprint) && client.certfp != info.Fingerprint {
+			if 0 < len(info.Fingerprint) && !utils.CertfpsMatch(info.Fingerprint, client.certfp) {
 				continue
 			}
 
diff --git a/oragono.yaml b/oragono.yaml
index 750ab112..d5638f41 100644
--- a/oragono.yaml
+++ b/oragono.yaml
@@ -452,7 +452,7 @@ opers:
 
         # if you're logged in using the client cert with this SHA-256 fingerprint,
         # you'll be able to /OPER without a password
-        certfp: "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789"
+        fingerprint: "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789"
 
 # logging, takes inspiration from Insp
 logging: