diff -U 20 -r pam_pkcs11-0.6.8/src/pam_pkcs11/pam_pkcs11.c pam_pkcs11-0.6.8-new/src/pam_pkcs11/pam_pkcs11.c
--- pam_pkcs11-0.6.8/src/pam_pkcs11/pam_pkcs11.c	2012-12-10 14:53:50.755864981 +0100
+++ pam_pkcs11-0.6.8-new/src/pam_pkcs11/pam_pkcs11.c	2012-12-10 14:53:30.603864649 +0100
@@ -555,40 +555,41 @@
 
       /* verify certificate (date, signature, CRL, ...) */
       rv = verify_certificate(x509,&configuration->policy);
       if (rv < 0) {
         ERR1("verify_certificate() failed: %s", get_error());
         if (!configuration->quiet) {
           pam_syslog(pamh, LOG_ERR,
                    "verify_certificate() failed: %s", get_error());
 			switch (rv) {
 				case -2: // X509_V_ERR_CERT_HAS_EXPIRED:
 					pam_prompt(pamh, PAM_ERROR_MSG , NULL,
 						_("Error 2324: Certificate has expired"));
 					break;
 				case -3: // X509_V_ERR_CERT_NOT_YET_VALID:
 					pam_prompt(pamh, PAM_ERROR_MSG , NULL,
 						_("Error 2326: Certificate not yet valid"));
 					break;
 				case -4: // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
 					pam_prompt(pamh, PAM_ERROR_MSG , NULL,
 						_("Error 2328: Certificate signature invalid"));
+                                        continue;
 					break;
 				default:
 					pam_prompt(pamh, PAM_ERROR_MSG , NULL,
 						_("Error 2330: Certificate invalid"));
 					break;
 			}
 			sleep(configuration->err_display_time);
 		}
 	goto auth_failed_nopw;
       } else if (rv != 1) {
         ERR1("verify_certificate() failed: %s", get_error());
         continue; /* try next certificate */
       }
 
     /* CA and CRL verified, now check/find user */
 
     if ( is_spaced_str(user) ) {
       /*
 	if provided user is null or empty extract and set user
 	name from certificate