diff --git a/scripts/base/frameworks/notice/weird.bro b/scripts/base/frameworks/notice/weird.bro
index c9e9228c0d..75254414ec 100644
--- a/scripts/base/frameworks/notice/weird.bro
+++ b/scripts/base/frameworks/notice/weird.bro
@@ -376,6 +376,21 @@ function report_weird_orig(t: time, name: string, id: string, orig: addr)
 
 	report_weird(t, name, id, F, "", action, no_log);
 	}
+	
+event conn_weird(name: string, c: connection, addl: string)
+	{
+	report_weird_conn(network_time(), name, id_string(c$id), addl, c);
+	}
+
+event flow_weird(name: string, src: addr, dst: addr)
+	{
+	report_weird_orig(network_time(), name, fmt("%s -> %s", src, dst), src);
+	}
+
+event net_weird(name: string)
+	{
+	report_weird(network_time(), name, "", F, "", WEIRD_UNSPECIFIED, F);
+	}
 
 event connection_state_remove(c: connection)
 	{
diff --git a/scripts/policy/protocols/conn/weirds.bro b/scripts/policy/protocols/conn/weirds.bro
index 32890a7eaa..a4db61e51f 100644
--- a/scripts/policy/protocols/conn/weirds.bro
+++ b/scripts/policy/protocols/conn/weirds.bro
@@ -18,21 +18,6 @@ export {
 	};
 }
 
-event conn_weird(name: string, c: connection, addl: string)
-	{
-	report_weird_conn(network_time(), name, id_string(c$id), addl, c);
-	}
-
-event flow_weird(name: string, src: addr, dst: addr)
-	{
-	report_weird_orig(network_time(), name, fmt("%s -> %s", src, dst), src);
-	}
-
-event net_weird(name: string)
-	{
-	report_weird(network_time(), name, "", F, "", WEIRD_UNSPECIFIED, F);
-	}
-
 event rexmit_inconsistency(c: connection, t1: string, t2: string)
 	{
 	if ( c$id !in did_inconsistency_msg )
diff --git a/scripts/policy/protocols/ssl/expiring-certs.bro b/scripts/policy/protocols/ssl/expiring-certs.bro
index 2cc1022998..50480b3a09 100644
--- a/scripts/policy/protocols/ssl/expiring-certs.bro
+++ b/scripts/policy/protocols/ssl/expiring-certs.bro
@@ -36,7 +36,9 @@ export {
 event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=3
 	{
 	# If this isn't the host cert or we aren't interested in the server, just return.
-	if ( ! c$ssl?$cert_hash || ! addr_matches_host(c$id$resp_h, notify_certs_expiration) )
+	if ( chain_idx != 0 ||
+		 ! c$ssl?$cert_hash || 
+		 ! addr_matches_host(c$id$resp_h, notify_certs_expiration) )
 		return;
 	
 	if ( cert$not_valid_before > network_time() )
diff --git a/scripts/policy/protocols/ssl/known-certs.bro b/scripts/policy/protocols/ssl/known-certs.bro
index ed670e4473..7e21bc3c6b 100644
--- a/scripts/policy/protocols/ssl/known-certs.bro
+++ b/scripts/policy/protocols/ssl/known-certs.bro
@@ -46,17 +46,16 @@ event bro_init() &priority=5
 
 event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=3
 	{
-	# We aren't tracking client certificates yet.
-	if ( ! c$ssl?$cert_hash ) return;
+	# Make sure this is the server cert and we have a hash for it.
+	if ( chain_idx == 0 && ! c$ssl?$cert_hash ) return;
 	
 	local host = c$id$resp_h;
 	if ( [host, c$ssl$cert_hash] !in certs && addr_matches_host(host, cert_tracking) )
 		{
-		add certs[host, cert$serial];
+		add certs[host, c$ssl$cert_hash];
 		Log::write(Known::CERTS_LOG, [$ts=network_time(), $host=host,
 		                              $port_num=c$id$resp_p, $subject=cert$subject,
 		                              $issuer_subject=cert$issuer,
-		                              $serial=cert$serial,
-		                              $identifier=cat(c$id$resp_h,c$id$resp_p,c$ssl$cert_hash)]);
+		                              $serial=cert$serial]);
 		}
 	}