diff --git a/auth/internal/transport/cba.go b/auth/internal/transport/cba.go
index 75734906259c..6ef88311a249 100644
--- a/auth/internal/transport/cba.go
+++ b/auth/internal/transport/cba.go
@@ -217,7 +217,7 @@ func getTransportConfig(opts *Options) (*transportConfig, error) {
 // encountered while initializing the default source will be reported as client
 // error (ex. corrupt metadata file).
 func getClientCertificateSource(opts *Options) (cert.Provider, error) {
-	if !isClientCertificateEnabled() {
+	if !isClientCertificateEnabled(opts) {
 		return nil, nil
 	} else if opts.ClientCertProvider != nil {
 		return opts.ClientCertProvider, nil
@@ -226,14 +226,14 @@ func getClientCertificateSource(opts *Options) (cert.Provider, error) {
 
 }
 
-// isClientCertificateEnabled returns true by default, unless explicitly set to false via env var.
-func isClientCertificateEnabled() bool {
+// isClientCertificateEnabled returns true by default for all GDU universe domain, unless explicitly overridden by env var
+func isClientCertificateEnabled(opts *Options) bool {
 	if value, ok := os.LookupEnv(googleAPIUseCertSource); ok {
 		// error as false is OK
 		b, _ := strconv.ParseBool(value)
 		return b
 	}
-	return true
+	return opts.isUniverseDomainGDU()
 }
 
 type transportConfig struct {