diff --git a/src/internal.c b/src/internal.c
index f11b9f329..cb3399cf8 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -4278,8 +4278,8 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                 return MEMORY_E;
             XMEMCPY(add.buffer, myCert.buffer, myCert.length);
 
-            ret = AddCA(ssl->ctx->cm, add, WOLFSSL_CHAIN_CA,
-                        ssl->ctx->verifyPeer);
+            /* already verified above */
+            ret = AddCA(ssl->ctx->cm, add, WOLFSSL_CHAIN_CA, 0);
             if (ret == 1) ret = 0;   /* SSL_SUCCESS for external */
         }
         else if (ret != 0) {
diff --git a/src/ssl.c b/src/ssl.c
index aba00ac0c..c4a095663 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -2843,7 +2843,8 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
             XFREE(der.buffer, heap, dynamicType);
             return BAD_FUNC_ARG;
         }
-        return AddCA(ctx->cm, der, WOLFSSL_USER_CA, ctx->verifyPeer);
+        /* verify CA unless user set to no verify */
+        return AddCA(ctx->cm, der, WOLFSSL_USER_CA, !ctx->verifyNone);
                                                       /* takes der over */
     }
     else if (type == CERT_TYPE) {