diff --git a/browserid/lib/ca.js b/browserid/lib/ca.js
index 39b7af7a93ee4f1017561480100ae1e5eedd0e32..e4f096a037a59992d3b7035ea873ac6ca8e516fe 100644
--- a/browserid/lib/ca.js
+++ b/browserid/lib/ca.js
@@ -93,22 +93,14 @@ function certify(email, publicKey, expiration) {
 }
 
 function verifyChain(certChain) {
-  // the certChain is expected to be ordered
-  // first cert signed root, next cert signed by first, ...
-  // returns the last certified public key
-  var currentPublicKey = PUBLIC_KEY;
-  for (var i =0; i < certChain.length; i++) {
-    var cert = certChain[i];
-    if (!cert.verify(currentPublicKey)) {
-      return false;
-    }
-
-    // the public key for the next verification is..
-    currentPublicKey = cert.pk;
-  }
-
-  // return last certified public key
-  return currentPublicKey;
+  // raw certs
+  return jwcert.JWCert.verifyChain(certChain, function(issuer) {
+    // for now we only do browserid.org issued keys
+    if (issuer != "browserid2.org")
+      return null;
+
+    return PUBLIC_KEY;
+  });
 }
 
 // exports, not the key stuff
diff --git a/browserid/tests/ca-test.js b/browserid/tests/ca-test.js
index f18403e14b9eee50ea05d7120659f879a0740976..faa81b8315bedf2a10d96eca13a62d12f7425637 100755
--- a/browserid/tests/ca-test.js
+++ b/browserid/tests/ca-test.js
@@ -61,13 +61,12 @@ var email_addr = "foo@foo.com";
 suite.addBatch({
   "certify a public key": {
     topic: ca.certify(email_addr, kp.publicKey),
-    "parses" : function(r, err) {
-      var cert = ca.parseCert(r);
+    "parses" : function(cert_raw, err) {
+      var cert = ca.parseCert(cert_raw);
       assert.notEqual(cert, null);
     },
-    "verifies": function(r, err) {
-      var cert = ca.parseCert(r);
-      assert.isTrue(ca.verifyChain([cert]).equals(kp.publicKey));
+    "verifies": function(cert_raw, err) {
+      assert.isTrue(kp.publicKey.equals(ca.verifyChain([cert_raw])));
     }
   },
   "certify a chain of keys": {
diff --git a/browserid/tests/cert-emails-test.js b/browserid/tests/cert-emails-test.js
index e16067d43db05ce007123a42b587d016db4bebe9..fbd5ab9cfcf9c46569a3af525077b75733782c29 100755
--- a/browserid/tests/cert-emails-test.js
+++ b/browserid/tests/cert-emails-test.js
@@ -148,7 +148,19 @@ suite.addBatch({
         assert.equal(full_assertion.assertion.split(".").length, 3);
       },
       "assertion verifies": {
-        topic: function(full_assertion) {return wsapi.get(cert_key_url, { assertion: full_assertion, audience: "rp.com" })();},
+        topic: function(full_assertion) {
+          // check that the assertion is verified by the public key in the chain cert
+          var cert_chain = [];
+          for (var i=0; i<full_assertion.certificates.length; i++) {
+            var cert = new jwcert.JWCert();
+            cert.parse(full_assertion.certificates[i]);
+            cert_chain[cert_chain.length] = cert;
+          }
+
+          // extract public key at the tail of the chain
+          var pk = ca.verifyChain(cert_chain);
+          
+        },
         "verifies": function(result) {
           assert.isTrue(result);
         }
diff --git a/lib/jwcrypto b/lib/jwcrypto
index 43535b130439a8f346e5758ded8c8fc30e927162..54af6b4cac37e8a4b6a90808bda07765f47125f5 160000
--- a/lib/jwcrypto
+++ b/lib/jwcrypto
@@ -1 +1 @@
-Subproject commit 43535b130439a8f346e5758ded8c8fc30e927162
+Subproject commit 54af6b4cac37e8a4b6a90808bda07765f47125f5