@@ -878,11 +878,10 @@
 
 /* Protected Authentication Path command */
 #define CACKEY_PIN_COMMAND_DEFAULT_XSTR(str) CACKEY_PIN_COMMAND_DEFAULT_STR(str)
 #define CACKEY_PIN_COMMAND_DEFAULT_STR(str) #str
 static char *cackey_pin_command = NULL;
-static char *cackey_pin_command_xonly = NULL;
 
 /* PCSC Global Handles */
 static LPSCARDCONTEXT cackey_pcsc_handle = NULL;
 
 static unsigned long cackey_getversion(void) {
@@ -2455,11 +2454,10 @@
 	if (!slot->slot_reset) {
 		if (slot->cached_certs) {
 			if (certs == NULL) {
 				certs = malloc(sizeof(*certs) * slot->cached_certs_count);
 				*count = slot->cached_certs_count;
-
 			} else {
 				if (*count > slot->cached_certs_count) {
 					*count = slot->cached_certs_count;
 				}
 			}
@@ -2873,11 +2871,11 @@
 
 			/* End transaction */
 			cackey_end_transaction(slot);
 
 			if (respcode == 0x6982 || respcode == 0x6e00) {
-				CACKEY_DEBUG_PRINTF("Security status not satisified.  Returning NEEDLOGIN");
+				CACKEY_DEBUG_PRINTF("Security status not satisified (respcode = 0x%04x).  Returning NEEDLOGIN", (int) respcode);
 
 				cackey_mark_slot_reset(slot);
 
 				return(CACKEY_PCSC_E_NEEDLOGIN);
 			}
@@ -3083,10 +3081,12 @@
 				key_reference = 0x80;
 				break;
 			default:
 				break;
 		}
+
+		cackey_free_certs(pcsc_identities, num_certs, 1);
 	}
 
 	/* Issue PIN Verify */
 	send_ret = cackey_send_apdu(slot, GSCIS_CLASS_ISO7816, GSCIS_INSTR_VERIFY, 0x00, key_reference, sizeof(cac_pin), cac_pin, 0x00, &response_code, NULL, NULL);
 
@@ -4081,10 +4081,11 @@
 
 CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
 	CK_C_INITIALIZE_ARGS CK_PTR args;
 	uint32_t idx, highest_slot;
 	int mutex_init_ret;
+	int include_dod_certs;
 
 	CACKEY_DEBUG_PRINTF("Called.");
 
 	if (cackey_initialized) {
 		CACKEY_DEBUG_PRINTF("Error.  Already initialized.");
@@ -4124,11 +4125,25 @@
 		cackey_slots[idx].token_flags = 0;
 		cackey_slots[idx].label = NULL;
 		cackey_slots[idx].internal = 0;
 	}
 
+#ifdef CACKEY_NO_EXTRA_CERTS
+	if (getenv("CACKEY_EXTRA_CERTS") != NULL) {
+		include_dod_certs = 1;
+	} else {
+		include_dod_certs = 0;
+	}
+#else
 	if (getenv("CACKEY_NO_EXTRA_CERTS") != NULL) {
+		include_dod_certs = 0;
+	} else {
+		include_dod_certs = 1;
+	}
+#endif
+
+	if (include_dod_certs == 0) {
 		CACKEY_DEBUG_PRINTF("Asked not to include DoD certificates");
 	} else {
 		highest_slot = (sizeof(cackey_slots) / sizeof(cackey_slots[0])) - 1;
 
 		CACKEY_DEBUG_PRINTF("Including DoD certs in slot %lu", (unsigned long) highest_slot);
@@ -4156,26 +4171,25 @@
 
 	/* Define a command to prompt user for a PIN */
 #ifdef CACKEY_PIN_COMMAND_DEFAULT
 	cackey_pin_command = CACKEY_PIN_COMMAND_DEFAULT_XSTR(CACKEY_PIN_COMMAND_DEFAULT);
 #endif
+
 #ifdef CACKEY_PIN_COMMAND_XONLY_DEFAULT
-	cackey_pin_command_xonly = CACKEY_PIN_COMMAND_DEFAULT_XSTR(CACKEY_PIN_COMMAND_XONLY_DEFAULT);
+	if (getenv("DISPLAY") != NULL) {
+		cackey_pin_command = CACKEY_PIN_COMMAND_DEFAULT_XSTR(CACKEY_PIN_COMMAND_XONLY_DEFAULT);
+	}
 #endif
 
-	if (getenv("DISPLAY") != NULL) {
-		cackey_pin_command = cackey_pin_command_xonly;
+	if (getenv("CACKEY_PIN_COMMAND") != NULL) {
+		cackey_pin_command = getenv("CACKEY_PIN_COMMAND");
 	}
 
 	if (getenv("CACKEY_PIN_COMMAND_XONLY") != NULL && getenv("DISPLAY") != NULL) {
 		cackey_pin_command = getenv("CACKEY_PIN_COMMAND_XONLY");
 	}
 
-	if (getenv("CACKEY_PIN_COMMAND") != NULL) {
-		cackey_pin_command = getenv("CACKEY_PIN_COMMAND");
-	}
-
 	CACKEY_DEBUG_PRINTF("Returning CKR_OK (%i)", CKR_OK);
 
 	return(CKR_OK);
 }