diff --git a/browserid/lib/ca.js b/browserid/lib/ca.js
index 533538ae24180909db8a9a2ac853e69d0808ee3f..45fa726039742876be4e4f2ffa12f09d992ee7a3 100644
--- a/browserid/lib/ca.js
+++ b/browserid/lib/ca.js
@@ -81,10 +81,18 @@ function loadPublicKey(name, dir) {
 var SECRET_KEY = loadSecretKey('root', configuration.get('var_path'));
 var PUBLIC_KEY = loadPublicKey('root', configuration.get('var_path'));
 
-function certify(email, serializedPublicKey) {
-  var pk = jws.getByAlg("RS").PublicKey.deserialize(serializedPublicKey);
+function parsePublicKey(serializedPK) {
+  return jws.getByAlg("RS").PublicKey.deserialize(serializedPK);
+}
+
+function parseCert(serializedCert) {
+  var cert = new jwcert.JWCert();
+  cert.parse(serializedCert);
+  return cert;
+}
 
-  return new jwcert.JWCert("browserid.org", new Date(), pk, {email: email}).sign(SECRET_KEY);
+function certify(email, publicKey, expiration) {
+  return new jwcert.JWCert("browserid.org", new Date(), publicKey, {email: email}).sign(SECRET_KEY);
 }
 
 function verifyChain(certChain, publicKey) {
@@ -109,3 +117,5 @@ function verifyChain(certChain, publicKey) {
 // exports, not the key stuff
 exports.certify = certify;
 exports.verifyChain = verifyChain;
+exports.parsePublicKey = parsePublicKey;
+exports.parseCert = parseCert;
\ No newline at end of file
diff --git a/browserid/lib/wsapi.js b/browserid/lib/wsapi.js
index e6983ced512941f7904178bed131c90e11737e26..be8b4f8827bfe0ee5d489d59d16590d27a76af25 100644
--- a/browserid/lib/wsapi.js
+++ b/browserid/lib/wsapi.js
@@ -298,10 +298,11 @@ function setup(app) {
       // not same account? big fat error
       if (!sameAccount) return httputils.badRequest(resp, "that email does not belong to you");
 
-      // pubkey is checked in ca.certify
+      // parse the pubkey
+      var pk = ca.parsePublicKey(req.body.pubkey);
       
       // same account, we certify the key
-      var cert = ca.certify(req.body.email, req.body.pubkey);
+      var cert = ca.certify(req.body.email, pk);
       resp.json(cert);
     });
   });
diff --git a/browserid/tests/ca-test.js b/browserid/tests/ca-test.js
old mode 100644
new mode 100755
index 2b13df7a3d6616be08d67d25b04701a08a2344f1..b42ebf6d3e32734daf68dbd12be28855075d5fa3
--- a/browserid/tests/ca-test.js
+++ b/browserid/tests/ca-test.js
@@ -59,10 +59,13 @@ var email_addr = "foo@foo.com";
 // create a new account via the api with (first address)
 suite.addBatch({
   "certify a public key": {
-    topic: ca.certify(email_addr, kp.publicKey.serialize()),
+    topic: ca.certify(email_addr, kp.publicKey),
+    "parses" : function(r, err) {
+      var cert = ca.parseCert(r);
+      assert.notEqual(cert, null);
+    },
     "verifies": function(r, err) {
-      var cert = new jwcert.JWCert();
-      cert.parse(r);
+      var cert = ca.parseCert(r);
       assert.isTrue(ca.verifyChain([cert], kp.publicKey));
     }
   }