diff --git a/lib/modules/SSL.pmod/context.pike b/lib/modules/SSL.pmod/context.pike
index 79fb5c5dda8f221a125389b8975e5dcf8144d2f2..d35239467ec21e7811fb59756e9a46b25dc46f96 100644
--- a/lib/modules/SSL.pmod/context.pike
+++ b/lib/modules/SSL.pmod/context.pike
@@ -772,8 +772,14 @@ private void update_trusted_issuers()
     if(!result->verified)
       error("Broken trusted issuer chain!\n");
 
-    Standards.X509.TBSCertificate cert =
-      Standards.X509.decode_certificate(i[-1]);
+    if( !tbs->ext_basicConstraints_cA || !(tbs->ext_keyUsage & keyCertSign) )
+      error("Trusted issuer not allowed to sign other certificates.\n");
+
+    // FIXME: The pathLenConstraint does not survive the cache.
+
+    // The leaf of the trusted issuer is the root to validate
+    // certificate chains against.
+    Standards.X509.TBSCertificate cert = result->certificates[-1];
 
     trusted_issuers_cache[cert->subject->get_der()] = cert->public_key;
   }