diff --git a/getssl b/getssl
index 88b4d9f..d73faea 100755
--- a/getssl
+++ b/getssl
@@ -1582,7 +1582,7 @@ get_certificate() { # get certificate for csr, if all domains validated.
       cp "$gc_fullchain" "$cert_to_check"
       i=0
       while [[ $i -le ${#alternate_links[@]} ]]; do
-        cert_issuer=$(openssl crl2pkcs7 -nocrl -certfile "$cert_to_check" | openssl pkcs7 -print_certs -text -noout | grep 'Issuer:' | tail -1 | cut -d= -f2)
+        cert_issuer=$(openssl crl2pkcs7 -nocrl -certfile "$cert_to_check" | openssl pkcs7 -print_certs -text -noout | grep 'Issuer:' | tail -1 | awk -F"CN=" '{ print $2 }')
         debug Certificate issued by "$cert_issuer"
         if [[ $cert_issuer = *${PREFERRED_CHAIN}* ]]; then
           debug "Found required certificate"
@@ -2400,9 +2400,10 @@ write_domain_template() { # write out a template file for a domain.
 		#USE_SINGLE_ACL="false"
 
     # Preferred Chain - use an different certificate root from the default
-    # Staging options are: "Fake LE Root X1" and "Fake LE Root X2"
+    # This uses wildcard matching so requesting "X1" returns the correct certificate - may need to escape characters
+    # Staging options are: "(STAGING) Doctored Durian Root CA X3" and "(STAGING) Pretend Pear X1"
     # Production options are: "ISRG Root X1" and "ISRG Root X2"
-    #PREFERRED_CHAIN=""
+    #PREFERRED_CHAIN="\(STAGING\) Pretend Pear X1"
 
     # Uncomment this if you need the full chain file to include the root certificate (Java keystores, Nutanix Prism)
     #FULL_CHAIN_INCLUDE_ROOT="true"
@@ -2462,9 +2463,10 @@ write_getssl_template() { # write out the main template file
 	#REUSE_PRIVATE_KEY="true"
 
   # Preferred Chain - use an different certificate root from the default
-  # Staging options are: "Fake LE Root X1" and "Fake LE Root X2"
+  # This uses wildcard matching so requesting "X1" returns the correct certificate - may need to escape characters
+  # Staging options are: "(STAGING) Doctored Durian Root CA X3" and "(STAGING) Pretend Pear X1"
   # Production options are: "ISRG Root X1" and "ISRG Root X2"
-  #PREFERRED_CHAIN=""
+  #PREFERRED_CHAIN="\(STAGING\) Pretend Pear X1"
 
   # Uncomment this if you need the full chain file to include the root certificate (Java keystores, Nutanix Prism)
   #FULL_CHAIN_INCLUDE_ROOT="true"
diff --git a/test/35-preferred-chain.bats b/test/35-preferred-chain.bats
index 4389d3b..0a5821c 100644
--- a/test/35-preferred-chain.bats
+++ b/test/35-preferred-chain.bats
@@ -15,10 +15,12 @@ setup() {
 
 @test "Use PREFERRED_CHAIN to select an alternate root" {
     if [ -n "$STAGING" ]; then
-        PREFERRED_CHAIN="Fake LE Root X2"
+        PREFERRED_CHAIN="\(STAGING\) Pretend Pear X1"
+        CHECK_CHAIN="(STAGING) Pretend Pear X1"
     else
-        PREFERRED_CHAIN=$(curl --silent https://pebble:15000/roots/2 | openssl x509 -text -noout | grep "Issuer:" | cut -d= -f2)
+        PREFERRED_CHAIN=$(curl --silent https://pebble:15000/roots/2 | openssl x509 -text -noout | grep "Issuer:" | awk -F"CN=" '{ print $2 }')
         PREFERRED_CHAIN="${PREFERRED_CHAIN# }" # remove leading whitespace
+        CHECK_CHAIN=$PREFERRED_CHAIN
     fi
 
     CONFIG_FILE="getssl-dns01.cfg"
@@ -29,21 +31,27 @@ setup() {
 PREFERRED_CHAIN="${PREFERRED_CHAIN}"
 EOF
 
-    create_certificate
+    create_certificate -d
     assert_success
     check_output_for_errors
 
-    issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Issuer: | tail -1 | cut -d= -f2)
+    issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Issuer: | tail -1 | awk -F"CN=" '{ print $2 }')
     # verify certificate is issued by preferred chain root
-    [ "$PREFERRED_CHAIN" = "$issuer" ]
+    if [[ "${CHECK_CHAIN}" != "$issuer" ]]; then
+        echo "# PREFERRED_CHAIN=$PREFERRED_CHAIN"
+        echo "# issuer=$issuer"
+    fi
+
+    [ "${CHECK_CHAIN}" = "$issuer" ]
 }
 
 
 @test "Use PREFERRED_CHAIN to select the default root" {
     if [ -n "$STAGING" ]; then
-        PREFERRED_CHAIN="Fake LE Root X1"
+        PREFERRED_CHAIN="\(STAGING\) Doctored Durian Root CA X3"
+        CHECK_CHAIN="(STAGING) Doctored Durian Root CA X3"
     else
-        PREFERRED_CHAIN=$(curl --silent https://pebble:15000/roots/0 | openssl x509 -text -noout | grep Issuer: | cut -d= -f2 )
+        PREFERRED_CHAIN=$(curl --silent https://pebble:15000/roots/0 | openssl x509 -text -noout | grep Issuer: | awk -F"CN=" '{ print $2 }')
         PREFERRED_CHAIN="${PREFERRED_CHAIN# }" # remove leading whitespace
     fi
 
@@ -59,17 +67,21 @@ EOF
     assert_success
     check_output_for_errors
 
-    issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Issuer: | tail -1 | cut -d= -f2)
+    issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Issuer: | tail -1 | awk -F"CN=" '{ print $2 }')
     # verify certificate is issued by preferred chain root
-    [ "$PREFERRED_CHAIN" = "$issuer" ]
+    if [[ "${CHECK_CHAIN}" != "$issuer" ]]; then
+        echo "# PREFERRED_CHAIN=$PREFERRED_CHAIN"
+        echo "# issuer=$issuer"
+    fi
+    [ "${CHECK_CHAIN}" = "$issuer" ]
 }
 
 
 @test "Use PREFERRED_CHAIN to select an alternate root by suffix" {
     if [ -n "$STAGING" ]; then
-        FULL_PREFERRED_CHAIN="Fake LE Root X2"
+        FULL_PREFERRED_CHAIN="(STAGING) Pretend Pear X1"
     else
-        FULL_PREFERRED_CHAIN=$(curl --silent https://pebble:15000/roots/2 | openssl x509 -text -noout | grep "Issuer:" | cut -d= -f2)
+        FULL_PREFERRED_CHAIN=$(curl --silent https://pebble:15000/roots/2 | openssl x509 -text -noout | grep "Issuer:" | awk -F"CN=" '{ print $2 }')
         FULL_PREFERRED_CHAIN="${FULL_PREFERRED_CHAIN# }" # remove leading whitespace
     fi
 
@@ -87,9 +99,12 @@ EOF
     assert_success
     check_output_for_errors
 
-    issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Issuer: | tail -1 | cut -d= -f2)
+    issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Issuer: | tail -1 | awk -F"CN=" '{ print $2 }')
     # verify certificate is issued by preferred chain root
-    echo "# ${issuer}"
-    echo "# ${FULL_PREFERRED_CHAIN}"
-    [ "$FULL_PREFERRED_CHAIN" = "$issuer" ]
+    if [[ "${FULL_PREFERRED_CHAIN}" != "$issuer" ]]; then
+        echo "# PREFERRED_CHAIN=$PREFERRED_CHAIN"
+        echo "# FULL_PREFERRED_CHAIN=$FULL_PREFERRED_CHAIN"
+        echo "# issuer=$issuer"
+    fi
+    [ "${FULL_PREFERRED_CHAIN}" = "$issuer" ]
 }
diff --git a/test/36-full-chain-inc-root.bats b/test/36-full-chain-inc-root.bats
index 5932ea7..5b29d0b 100644
--- a/test/36-full-chain-inc-root.bats
+++ b/test/36-full-chain-inc-root.bats
@@ -27,22 +27,27 @@ EOF
     check_output_for_errors
 
     if [ -n "$STAGING" ]; then
-        PREFERRED_CHAIN="Fake LE Root X1"
+        PREFERRED_CHAIN="(STAGING) Doctored Durian Root CA X3"
     else
         # pebble doesn't support CA Issuers so the fullchain.crt will just contain the certificate (code path means it won't contain the intermediate cert in this case)
         # This is testing that requesting FULL_CHAIN_INCLUDE_ROOT doesn't fail if there is no CA Issuers in the certificate
-        PREFERRED_CHAIN=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | cut -d= -f2)
+        PREFERRED_CHAIN=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | awk -F"CN=" '{ print $2 }')
     fi
 
-    final_issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | cut -d= -f2)
+    final_issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | awk -F"CN=" '{ print $2 }')
+
     # verify certificate includes the chain root
-    [ "$PREFERRED_CHAIN" = "$final_issuer" ]
+    if [[ "${PREFERRED_CHAIN}" != "$final_issuer" ]]; then
+        echo "# PREFERRED_CHAIN=$PREFERRED_CHAIN"
+        echo "# final_issuer=$final_issuer"
+    fi
+    [ "${PREFERRED_CHAIN}" = "$final_issuer" ]
 }
 
 
 @test "Use FULL_CHAIN_INCLUDE_ROOT with dual certificates" {
     if [ -n "$STAGING" ]; then
-        PREFERRED_CHAIN="Fake LE Root X1"
+        PREFERRED_CHAIN="(STAGING) Doctored Durian Root CA X3"
     fi
 
     CONFIG_FILE="getssl-dns01.cfg"
@@ -66,16 +71,24 @@ EOF
     assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.ec.crt" ]
 
     if [ -n "$STAGING" ]; then
-        PREFERRED_CHAIN="Fake LE Root X1"
+        PREFERRED_CHAIN="(STAGING) Doctored Durian Root CA X3"
     else
         # pebble doesn't support CA Issuers so the fullchain.crt will just contain the certificate (code path means it won't contain the intermediate cert in this case)
         # This is testing that requesting FULL_CHAIN_INCLUDE_ROOT doesn't fail if there is no CA Issuers in the certificate
-        PREFERRED_CHAIN=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | cut -d= -f2)
+        PREFERRED_CHAIN=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | awk -F"CN=" '{ print $2 }')
     fi
 
     # verify both rsa and ecdsa certificates include the chain root
-    final_issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | cut -d= -f2)
-    [ "$PREFERRED_CHAIN" = "$final_issuer" ]
-    ecdsa_final_issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.ec.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | cut -d= -f2)
-    [ "$PREFERRED_CHAIN" = "$ecdsa_final_issuer" ]
+    final_issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | awk -F"CN=" '{ print $2 }')
+    if [[ "${PREFERRED_CHAIN}" != "$final_issuer" ]]; then
+        echo "# PREFERRED_CHAIN=$PREFERRED_CHAIN"
+        echo "# final_issuer=$final_issuer"
+    fi
+    [ "${PREFERRED_CHAIN}" = "$final_issuer" ]
+    ecdsa_final_issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.ec.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | awk -F"CN=" '{ print $2 }')
+    if [[ "$PREFERRED_CHAIN" != "$ecdsa_final_issuer" ]]; then
+        echo "# PREFERRED_CHAIN=$PREFERRED_CHAIN"
+        echo "# ecdsa_final_issuer=$ecdsa_final_issuer"
+    fi
+    [ "${PREFERRED_CHAIN}" = "$ecdsa_final_issuer" ]
 }