diff --git a/ligoauth/management/commands/refresh_users_from_ldap.py b/ligoauth/management/commands/refresh_users_from_ldap.py
index 3fb0226c7688151d610b523a0760a9a810195f40..73781ccb673bde771e7692f2b3affc6e5ec0176f 100644
--- a/ligoauth/management/commands/refresh_users_from_ldap.py
+++ b/ligoauth/management/commands/refresh_users_from_ldap.py
@@ -85,8 +85,9 @@ class Command(NoArgsCommand):
                         current_dns = set([ cert.subject for cert in user.x509cert_set.all() ])
 
                         if current_dns != new_dns:
-                            for dn in current_dns - new_dns:
-                                X509Cert.objects.get(subject=dn).delete()
+# XXX Some certs put in by hand are getting blow away. I don't think this feature is really needed anyway.
+#                            for dn in current_dns - new_dns:
+#                                X509Cert.objects.get(subject=dn).delete()
                             for dn in new_dns - current_dns:
                                 cert, created = X509Cert.objects.get_or_create(subject=dn)
                                 if created: