diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 9fcb2b2963..01420dde23 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -509,6 +509,11 @@ struct mbedtls_ssl_handshake_params
     uint8_t sni_authmode;               /*!< authmode from SNI callback     */
 #endif
 
+#if defined(MBEDTLS_SSL_SRV_C)
+    /** cert_request_send to indicate whether client certitifacte request */
+    uint16_t cert_request_send;
+#endif /* MBEDTLS_SSL_SRV_C */
+
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
     uint8_t new_session_ticket;         /*!< use NewSessionTicket?    */
 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index a260717e13..ab4d077a55 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -153,30 +153,6 @@ static void ssl_tls13_create_verify_structure( const unsigned char *transcript_h
     *verify_buffer_len = idx;
 }
 
-/* Coordinate: Check whether a certificate verify message is expected.
- * Returns a negative value on failure, and otherwise
- * - SSL_CERTIFICATE_VERIFY_SKIP
- * - SSL_CERTIFICATE_VERIFY_READ
- * to indicate if the CertificateVerify message should be present or not.
- */
-#define SSL_CERTIFICATE_VERIFY_SKIP 0
-#define SSL_CERTIFICATE_VERIFY_READ 1
-static int ssl_tls13_read_certificate_verify_coordinate( mbedtls_ssl_context *ssl )
-{
-    if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
-        return( SSL_CERTIFICATE_VERIFY_SKIP );
-
-#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
-    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
-#else
-    if( ssl->session_negotiate->peer_cert == NULL )
-        return( SSL_CERTIFICATE_VERIFY_SKIP );
-
-    return( SSL_CERTIFICATE_VERIFY_READ );
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-}
-
 static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
                                                const unsigned char *buf,
                                                const unsigned char *end,
@@ -339,19 +315,13 @@ int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
 
-    MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_read_certificate_verify_coordinate( ssl ) );
-    if( ret == SSL_CERTIFICATE_VERIFY_SKIP )
+    if( ssl->handshake->cert_request_send &&
+        ssl->session_negotiate->peer_cert == NULL ) 
     {
         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
         ret = 0;
         goto cleanup;
     }
-    else if( ret != SSL_CERTIFICATE_VERIFY_READ )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
-        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
-        goto cleanup;
-    }
 
     MBEDTLS_SSL_PROC_CHK(
         mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
@@ -409,63 +379,6 @@ cleanup:
  *
  */
 
-/* Coordination: Check if a certificate is expected.
- * Returns a negative error code on failure, and otherwise
- * SSL_CERTIFICATE_EXPECTED or
- * SSL_CERTIFICATE_SKIP
- * indicating whether a Certificate message is expected or not.
- */
-#define SSL_CERTIFICATE_EXPECTED   0
-#define SSL_CERTIFICATE_SKIP       1
-
-static int ssl_tls13_read_certificate_coordinate( mbedtls_ssl_context *ssl )
-{
-#if defined(MBEDTLS_SSL_SRV_C)
-    int authmode = ssl->conf->authmode;
-#endif /* MBEDTLS_SSL_SRV_C */
-
-#if defined(MBEDTLS_SSL_SRV_C)
-    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
-
-        mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake );
-    }
-#endif /* MBEDTLS_SSL_SRV_C */
-
-    if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
-        return( SSL_CERTIFICATE_SKIP );
-
-#if !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
-    ( ( void )authmode );
-    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
-    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
-#else
-#if defined(MBEDTLS_SSL_SRV_C)
-    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
-    {
-        /* If SNI was used, overwrite authentication mode
-         * from the configuration. */
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-        if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
-            authmode = ssl->handshake->sni_authmode;
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
-
-        if( authmode == MBEDTLS_SSL_VERIFY_NONE )
-        {
-            /* NOTE: Is it intentional that we set verify_result
-             * to SKIP_VERIFY on server-side only? */
-            ssl->session_negotiate->verify_result =
-                MBEDTLS_X509_BADCERT_SKIP_VERIFY;
-            return( SSL_CERTIFICATE_SKIP );
-        }
-    }
-#endif /* MBEDTLS_SSL_SRV_C */
-
-    return( SSL_CERTIFICATE_EXPECTED );
-#endif /* !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
-}
-
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
 /*
@@ -837,9 +750,8 @@ int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
      * Check if we expect a certificate, and if yes,
      * check if a non-empty certificate has been sent.
      */
-    MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_read_certificate_coordinate( ssl ) );
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
-    if( ret == SSL_CERTIFICATE_EXPECTED )
+    if( ssl->handshake->cert_request_send )
     {
         unsigned char *buf;
         size_t buf_len;
@@ -859,16 +771,10 @@ int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
     }
     else
 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
-    if( ret == SSL_CERTIFICATE_SKIP )
     {
         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
         ret = 0;
     }
-    else
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
-        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
-    }
 
 
 cleanup:
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 1288e49444..fa297cb78f 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1342,6 +1342,8 @@ static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
     if( authmode == MBEDTLS_SSL_VERIFY_NONE )
         return( SSL_CERTIFICATE_REQUEST_SKIP );
 
+    ssl->handshake->cert_request_send = 1;
+
     return( SSL_CERTIFICATE_REQUEST_SEND_REQUEST );
 }
 
@@ -1495,7 +1497,15 @@ static int ssl_tls13_write_server_finished( mbedtls_ssl_context *ssl )
                 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
         return( ret );
     }
-    mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
+    if( ssl->handshake->cert_request_send )
+    {
+        mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
+
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
+        mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake );
+    }
+    else
+        mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
     return( 0 );
 }
 
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 6eaa53477d..2aeee4ffbc 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -11310,7 +11310,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 run_test    "TLS 1.3: Server side check - mbedtls" \
             "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
             "$P_CLI debug_level=4 force_version=tls13" \
-            0 \
+            1 \
             -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
             -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
             -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \