diff --git a/sys/src/cmd/upas/pop3/pop3.c b/sys/src/cmd/upas/pop3/pop3.c
index 61b418062..7696fbbe9 100644
--- a/sys/src/cmd/upas/pop3/pop3.c
+++ b/sys/src/cmd/upas/pop3/pop3.c
@@ -77,7 +77,7 @@ static Msg *msg;
 static int nmsg;
 static int loggedin;
 static int debug;
-static uchar *tlscert;
+static PEMChain *tlscert;
 static int ntlscert;
 static char *peeraddr;
 static char tmpaddr[64];
@@ -124,7 +124,7 @@ main(int argc, char **argv)
 		peeraddr = tmpaddr;
 		break;
 	case 't':
-		tlscert = readcert(EARGF(usage()), &ntlscert);
+		tlscert = readcertchain(EARGF(usage()));
 		if(tlscert == nil){
 			senderr("cannot read TLS certificate: %r");
 			exits(nil);
@@ -562,13 +562,15 @@ stlscmd(char*)
 	Bflush(&out);
 
 	memset(&conn, 0, sizeof conn);
-	conn.cert = tlscert;
-	conn.certlen = ntlscert;
+	conn.cert = tlscert->pem;
+	conn.certlen = tlscert->pemlen;
+	conn.chain = tlscert->next;
 	if(debug)
 		conn.trace = trace;
 	fd = tlsServer(0, &conn);
 	if(fd < 0)
 		sysfatal("tlsServer: %r");
+	freecertchain(tlscert);
 	dup(fd, 0);
 	dup(fd, 1);
 	close(fd);
diff --git a/sys/src/cmd/upas/smtp/smtpd.c b/sys/src/cmd/upas/smtp/smtpd.c
index 032e19d87..97f13c2a2 100644
--- a/sys/src/cmd/upas/smtp/smtpd.c
+++ b/sys/src/cmd/upas/smtp/smtpd.c
@@ -1563,8 +1563,7 @@ s_dec64(String *sin)
 void
 starttls(void)
 {
-	int certlen, fd;
-	uchar *cert;
+	int fd;
 	TLSconn *conn;
 
 	if (tlscert == nil) {
@@ -1572,27 +1571,28 @@ starttls(void)
 		return;
 	}
 	conn = mallocz(sizeof *conn, 1);
-	cert = readcert(tlscert, &certlen);
-	if (conn == nil || cert == nil) {
-		if (conn != nil)
-			free(conn);
+	if(conn)
+		conn->chain = readcertchain(tlscert);
+	if (conn == nil || conn->chain == nil) {
+		free(conn);
 		reply("454 4.7.5 TLS not available\r\n");
 		return;
 	}
 	reply("220 2.0.0 Go ahead make my day\r\n");
-	conn->cert = cert;
-	conn->certlen = certlen;
+	conn->cert = conn->chain->pem;
+	conn->certlen = conn->chain->pemlen;
+	conn->chain = conn->chain->next;
 	fd = tlsServer(Bfildes(&bin), conn);
 	if (fd < 0) {
-		free(cert);
-		free(conn);
 		syslog(0, "smtpd", "TLS start-up failed with %s", him);
-
 		/* force the client to hang up */
 		close(Bfildes(&bin));		/* probably fd 0 */
 		close(1);
 		exits("tls failed");
 	}
+	freecertchain(conn->chain);
+	free(conn->cert);
+	free(conn);
 	Bterm(&bin);
 	Binit(&bin, fd, OREAD);
 	if (dup(fd, 1) < 0)