diff -U 20 -r pam_pkcs11-0.6.8/src/pam_pkcs11/pam_pkcs11.c pam_pkcs11-0.6.8-new/src/pam_pkcs11/pam_pkcs11.c
--- pam_pkcs11-0.6.8/src/pam_pkcs11/pam_pkcs11.c	2012-12-10 14:53:50.755864981 +0100
+++ pam_pkcs11-0.6.8-new/src/pam_pkcs11/pam_pkcs11.c	2012-12-10 15:14:47.717883916 +0100
@@ -563,41 +563,42 @@
 			switch (rv) {
 				case -2: // X509_V_ERR_CERT_HAS_EXPIRED:
 					pam_prompt(pamh, PAM_ERROR_MSG , NULL,
 						_("Error 2324: Certificate has expired"));
 					break;
 				case -3: // X509_V_ERR_CERT_NOT_YET_VALID:
 					pam_prompt(pamh, PAM_ERROR_MSG , NULL,
 						_("Error 2326: Certificate not yet valid"));
 					break;
 				case -4: // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
 					pam_prompt(pamh, PAM_ERROR_MSG , NULL,
 						_("Error 2328: Certificate signature invalid"));
 					break;
 				default:
 					pam_prompt(pamh, PAM_ERROR_MSG , NULL,
 						_("Error 2330: Certificate invalid"));
 					break;
 			}
 			sleep(configuration->err_display_time);
 		}
-	goto auth_failed_nopw;
+//	goto auth_failed_nopw;
+	continue;
       } else if (rv != 1) {
         ERR1("verify_certificate() failed: %s", get_error());
         continue; /* try next certificate */
       }
 
     /* CA and CRL verified, now check/find user */
 
     if ( is_spaced_str(user) ) {
       /*
 	if provided user is null or empty extract and set user
 	name from certificate
       */
 	DBG("Empty login: try to deduce from certificate");
 	user=find_user(x509);
 	if (!user) {
           ERR2("find_user() failed: %s on cert #%d", get_error(),i+1);
           if (!configuration->quiet)
             pam_syslog(pamh, LOG_ERR,
                      "find_user() failed: %s on cert #%d",get_error(),i+1);
 	  continue; /* try on next certificate */