Right now we just use the first cert. We're going to fix it so that there is some sort of intelligent decision. Olga has some ideas about that. At the very least we need to ignore certs that don't have corresponding private keys capable of signing.