diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index aa9e374165..6988ad7871 100644
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -346,8 +346,16 @@ func appendToFreshChain(chain []*Certificate, cert *Certificate) []*Certificate
 
 func (c *Certificate) buildChains(cache map[int][][]*Certificate, currentChain []*Certificate, opts *VerifyOptions) (chains [][]*Certificate, err error) {
 	possibleRoots, failedRoot, rootErr := opts.Roots.findVerifiedParents(c)
+nextRoot:
 	for _, rootNum := range possibleRoots {
 		root := opts.Roots.certs[rootNum]
+
+		for _, cert := range currentChain {
+			if cert.Equal(root) {
+				continue nextRoot
+			}
+		}
+
 		err = root.isValid(rootCertificate, currentChain, opts)
 		if err != nil {
 			continue
@@ -360,7 +368,7 @@ nextIntermediate:
 	for _, intermediateNum := range possibleIntermediates {
 		intermediate := opts.Intermediates.certs[intermediateNum]
 		for _, cert := range currentChain {
-			if cert == intermediate {
+			if cert.Equal(intermediate) {
 				continue nextIntermediate
 			}
 		}
diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go
index 346129219b..5a7481fea1 100644
--- a/src/crypto/x509/verify_test.go
+++ b/src/crypto/x509/verify_test.go
@@ -104,10 +104,6 @@ var verifyTests = []verifyTest{
 
 		expectedChains: [][]string{
 			{"Google", "Google Internet Authority", "GeoTrust"},
-			// TODO(agl): this is ok, but it would be nice if the
-			//            chain building didn't visit the same SPKI
-			//            twice.
-			{"Google", "Google Internet Authority", "GeoTrust", "GeoTrust"},
 		},
 		// CAPI doesn't build the chain with the duplicated GeoTrust
 		// entry so the results don't match. Thus we skip this test
@@ -130,12 +126,8 @@ var verifyTests = []verifyTest{
 		roots:         []string{startComRoot},
 		currentTime:   1302726541,
 
-		// Skip when using systemVerify, since Windows
-		// can only return a single chain to us (for now).
-		systemSkip: true,
 		expectedChains: [][]string{
 			{"dnssec-exp", "StartCom Class 1", "StartCom Certification Authority"},
-			{"dnssec-exp", "StartCom Class 1", "StartCom Certification Authority", "StartCom Certification Authority"},
 		},
 	},
 	{