diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index bb027823ecf971351b06f02531f0ddc1e9b4e014..253cf9790ea152bcfd6dd48ebe49332602ab92fa 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -319,10 +319,11 @@ certificateListValidate( Syntax *syntax, struct berval *in )
 			tag = ber_skip_tag( ber, &len );
 		}
 	}
-	/* Optional Extensions */
+	/* Optional Extensions - Sequence of Sequence */
 	if ( tag == SLAP_X509_OPT_CL_CRLEXTENSIONS ) { /* ? */
+		ber_len_t seqlen;
 		if ( version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX;
-		tag = ber_skip_tag( ber, &len );
+		tag = ber_peek_tag( ber, &seqlen );
 		if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
 		ber_skip_data( ber, len );
 		tag = ber_skip_tag( ber, &len );
@@ -388,7 +389,7 @@ attributeCertificateValidate( Syntax *syntax, struct berval *in )
 	if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
 	ber_skip_data( ber, len );
 
-	ber_peek_tag( ber, &len );
+	tag = ber_peek_tag( ber, &len );
 
 	if ( tag == LBER_BITSTRING ) {	/* issuerUniqueID */
 		tag = ber_skip_tag( ber, &len );