diff --git a/keystoneclient/common/cms.py b/keystoneclient/common/cms.py
index 26f9795ae..e07dbcf88 100644
--- a/keystoneclient/common/cms.py
+++ b/keystoneclient/common/cms.py
@@ -25,7 +25,10 @@ def _ensure_subprocess():
 
 
 def cms_verify(formatted, signing_cert_file_name, ca_file_name):
-    """Verifies the signature of the contents IAW CMS syntax."""
+    """Verifies the signature of the contents IAW CMS syntax.
+
+    :raises: subprocess.CalledProcessError
+    """
     _ensure_subprocess()
     process = subprocess.Popen(["openssl", "cms", "-verify",
                                 "-certfile", signing_cert_file_name,
@@ -39,7 +42,8 @@ def cms_verify(formatted, signing_cert_file_name, ca_file_name):
     output, err = process.communicate(formatted)
     retcode = process.poll()
     if retcode:
-        LOG.warning('Verify error: %s' % err)
+        # Do not log errors, as some happen in the positive thread
+        # instead, catch them in the calling code and log them there.
         # NOTE(dmllr): Python 2.6 compatibility:
         # CalledProcessError did not have output keyword argument
         e = subprocess.CalledProcessError(retcode, "openssl")
diff --git a/keystoneclient/middleware/auth_token.py b/keystoneclient/middleware/auth_token.py
index 6537a6778..658cce542 100644
--- a/keystoneclient/middleware/auth_token.py
+++ b/keystoneclient/middleware/auth_token.py
@@ -1047,6 +1047,7 @@ class AuthProtocol(object):
                 if self.cert_file_missing(err.output, self.ca_file_name):
                     self.fetch_ca_cert()
                     continue
+                self.LOG.warning('Verify error: %s' % err)
                 raise err
             return output