diff --git a/rs/certification/src/lib.rs b/rs/certification/src/lib.rs
index 35455ea385fe..bbe117e6e235 100644
--- a/rs/certification/src/lib.rs
+++ b/rs/certification/src/lib.rs
@@ -162,7 +162,7 @@ pub fn verify_certified_data_with_cache_for_canister_sig(
     let (time, delegation_info) =
         verify_certified_data_internal(certificate, canister_id, root_pk, certified_data, true)?;
     if let Some(info) = delegation_info
-        && info.subnet_type.as_deref() == Some("cloud_engine")
+        && matches!(info.subnet_type.as_deref(), None | Some("cloud_engine"))
     {
         return Err(CertificateValidationError::UntrustedDelegationSubnet(
             info.subnet_id,
diff --git a/rs/certification/src/tests.rs b/rs/certification/src/tests.rs
index 7fd41badb695..800f746b95c6 100644
--- a/rs/certification/src/tests.rs
+++ b/rs/certification/src/tests.rs
@@ -1146,6 +1146,40 @@ fn should_reject_cloud_engine_delegation_via_canister_sig_path() {
     );
 }
 
+#[test]
+fn should_reject_missing_subnet_type_delegation_via_canister_sig_path() {
+    let rng = &mut reproducible_rng();
+    let subnet_id = subnet_id(42);
+    let cid = canister_id(1);
+    let certified_data = random_certified_data();
+
+    let (_cert, root_pk, cbor) = CertificateBuilder::new_with_rng(
+        CanisterData {
+            canister_id: cid,
+            certified_data: certified_data.clone(),
+        },
+        rng,
+    )
+    .with_delegation(CertificateBuilder::new_with_rng(
+        SubnetData {
+            subnet_id,
+            canister_id_ranges: vec![(canister_id(0), canister_id(10))],
+        },
+        rng,
+    ))
+    .build();
+
+    assert_matches!(
+        verify_certified_data_with_cache_for_canister_sig(
+            &cbor,
+            &cid,
+            &root_pk,
+            certified_data.as_bytes(),
+        ),
+        Err(CertificateValidationError::UntrustedDelegationSubnet(_))
+    );
+}
+
 #[test]
 fn should_accept_delegation_with_non_cloud_engine_type() {
     let rng = &mut reproducible_rng();
diff --git a/rs/crypto/iccsa/test_utils/src/lib.rs b/rs/crypto/iccsa/test_utils/src/lib.rs
index 958e8b972f63..4d748336e33f 100644
--- a/rs/crypto/iccsa/test_utils/src/lib.rs
+++ b/rs/crypto/iccsa/test_utils/src/lib.rs
@@ -55,13 +55,16 @@ fn conditionally_add_delegation_cert<R: Rng + CryptoRng>(
     rng: &mut R,
 ) -> CertificateBuilder {
     if with_delegation {
-        cert_builder.with_delegation(CertificateBuilder::new_with_rng(
-            CertificateData::SubnetData {
-                subnet_id: subnet_id(123),
-                canister_id_ranges: vec![(canister_id(0), canister_id(10))],
-            },
-            rng,
-        ))
+        cert_builder.with_delegation(
+            CertificateBuilder::new_with_rng(
+                CertificateData::SubnetData {
+                    subnet_id: subnet_id(123),
+                    canister_id_ranges: vec![(canister_id(0), canister_id(10))],
+                },
+                rng,
+            )
+            .with_subnet_type("application"),
+        )
     } else {
         cert_builder
     }