diff --git a/lib/browser/PayPro.js b/lib/browser/PayPro.js
index 03fb644..6f8c955 100644
--- a/lib/browser/PayPro.js
+++ b/lib/browser/PayPro.js
@@ -6,6 +6,13 @@ var assert = require('assert');
 var PayPro = require('../PayPro');
 var Trusted = require('./Trusted');
 
+// Use hash table for efficiency:
+var trustHash = Trusted.reduce(function(out, cert) {
+  cert = cert.replace(/\s+/g, '');
+  trusted[cert] = true;
+  return trusted;
+}, {});
+
 PayPro.sign = function(key) {
   if (this.messageType !== 'PaymentRequest')
     throw new Error('Signing can only be performed on a PaymentRequest');
@@ -14,13 +21,20 @@ PayPro.sign = function(key) {
 
   if (pki_type === 'SIN') {
     var sig = this.sinSign(key);
-  } else if (pki_type === 'none' || pki_type === 'x509+sha256' || pki_type === 'x509+sha1') {
+  } else if (pki_type === 'x509+sha256' || pki_type === 'x509+sha1') {
     throw new Error('x509 currently unsuported.');
   } else if (pki_type === 'x509+sha1' || pki_type === 'x509+sha256') {
     var crypto = require('crypto');
     var pki_data = this.get('pki_data'); // contains one or more x509 certs
     var type = pki_type.split('+').toUpperCase();
     var buf = this.serializeForSig();
+
+    // TODO: parse all certs
+    var cert = pki_data.split(/-----BEGIN[^\n]*KEY-----/)[0].replace(/\s+/g, '');
+    if (!trustHash[cert])) {
+      ; // untrusted cert
+    }
+
     var jsrsaSig = new KJUR.crypto.Signature({
       alg: type + 'withRSA',
       prov: 'cryptojs/jsrsa'