diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-certs-cluster.bro b/testing/btest/scripts/policy/protocols/ssl/validate-certs-cluster.bro
index 795aa78c40..1b4f96af2f 100644
--- a/testing/btest/scripts/policy/protocols/ssl/validate-certs-cluster.bro
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs-cluster.bro
@@ -9,7 +9,7 @@
 # @TEST-EXEC: btest-bg-run worker-2  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-2 bro --pseudo-realtime -C -r $TRACES/tls/missing-intermediate.pcap %INPUT"
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: cat manager-1/ssl*.log > ssl.log
-# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-file-ids btest-diff ssl.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl.log
 #
 
 redef Log::default_rotation_interval = 0secs;
diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro b/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro
index 343b2fb196..5212d42b78 100644
--- a/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro
@@ -1,5 +1,5 @@
 # @TEST-EXEC: bro -C -r $TRACES/tls/missing-intermediate.pcap %INPUT
-# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-x509-names btest-diff ssl.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl.log
 
 @load protocols/ssl/validate-certs.bro
 
diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro b/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro
index 40e5e09361..332bae4050 100644
--- a/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro
@@ -2,6 +2,6 @@
 # @TEST-EXEC: cat ssl.log > ssl-all.log
 # @TEST-EXEC: bro -C -r $TRACES/tls/missing-intermediate.pcap %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-all.log
-# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-x509-names btest-diff ssl-all.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-all.log
 
 @load protocols/ssl/validate-certs.bro
diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro
index 3f88638ee3..b2f600f734 100644
--- a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro
@@ -1,10 +1,10 @@
 # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
-# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-x509-names btest-diff ssl.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl.log
 # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling-twimg.trace %INPUT
 # @TEST-EXEC: mv ssl.log ssl-twimg.log
-# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-x509-names btest-diff ssl-twimg.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-twimg.log
 # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling-digicert.trace %INPUT
 # @TEST-EXEC: mv ssl.log ssl-digicert.log
-# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-x509-names btest-diff ssl-digicert.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-digicert.log
 
 @load protocols/ssl/validate-ocsp
diff --git a/testing/scripts/diff-remove-x509-names b/testing/scripts/diff-remove-x509-names
index 4534cb7d87..d9437b0741 100755
--- a/testing/scripts/diff-remove-x509-names
+++ b/testing/scripts/diff-remove-x509-names
@@ -25,43 +25,48 @@ BEGIN { FS="\t"; OFS="\t"; s_col = -1; i_col = -1; is_col = -1; cs_col = -1; ci_
         }
 }
 
-s_col >= 0 {
+/^#/ {
+    print;
+    next;
+}
+
+s_col > 0 {
     if ( $s_col != "-" )
         # Mark that it's set, but ignore content.
         $s_col = "+";
 }
 
-i_col >= 0 {
+i_col > 0 {
     if ( $i_col != "-" )
         # Mark that it's set, but ignore content.
         $i_col = "+";
 }
 
-is_col >= 0 {
+is_col > 0 {
     if ( $is_col != "-" )
         # Mark that it's set, but ignore content.
         $is_col = "+";
 }
 
-cs_col >= 0 {
+cs_col > 0 {
     if ( $cs_col != "-" )
         # Mark that it's set, but ignore content.
         $cs_col = "+";
 }
 
-ci_col >= 0 {
+ci_col > 0 {
     if ( $ci_col != "-" )
         # Mark that it's set, but ignore content.
         $ci_col = "+";
 }
 
-cert_subj_col >= 0 {
+cert_subj_col > 0 {
     if ( $cert_subj_col != "-" )
         # Mark that it's set, but ignore content.
         $cert_subj_col = "+";
 }
 
-cert_issuer_col >= 0 {
+cert_issuer_col > 0 {
     if ( $cert_issuer_col != "-" )
         # Mark that it's set, but ignore content.
         $cert_issuer_col = "+";