diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/workers/CertificateCommand.java b/service/src/main/java/org/whispersystems/textsecuregcm/workers/CertificateCommand.java
index aa7df487..2b50b178 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/workers/CertificateCommand.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/workers/CertificateCommand.java
@@ -20,12 +20,17 @@ import org.whispersystems.textsecuregcm.util.Base64;
 
 import java.io.IOException;
 import java.security.InvalidKeyException;
+import java.util.Set;
 
 import io.dropwizard.cli.Command;
 import io.dropwizard.setup.Bootstrap;
 
 public class CertificateCommand extends Command {
 
+  private static final Set<Integer> RESERVED_CERTIFICATE_IDS = Set.of(
+      0xdeadc357 // Reserved for testing; see https://github.com/signalapp/libsignal-client/pull/118
+  );
+
   public CertificateCommand() {
     super("certificate", "Generates server certificates for unidentified delivery");
   }
@@ -75,6 +80,11 @@ public class CertificateCommand extends Command {
     ECPrivateKey key   = Curve.decodePrivatePoint(Base64.decode(namespace.getString("key")));
     int          keyId = namespace.getInt("keyId");
 
+    if (RESERVED_CERTIFICATE_IDS.contains(keyId)) {
+      throw new IllegalArgumentException(
+          String.format("Key ID %08x has been reserved or revoked and may not be used in new certificates.", keyId));
+    }
+
     ECKeyPair keyPair = Curve.generateKeyPair();
 
     byte[] certificate = MessageProtos.ServerCertificate.Certificate.newBuilder()