diff --git a/src/nss/app.c b/src/nss/app.c
index 0fabfa428..a640bcaa8 100644
--- a/src/nss/app.c
+++ b/src/nss/app.c
@@ -862,9 +862,9 @@ xmlSecNssAppPkcs12LoadSECItem(SECItem* secItem, const char *pwd,
     SECKEYPrivateKey *privkey = NULL;
     SECKEYPublicKey *pubkey = NULL;
     CERTCertList *certlist = NULL;
-    CERTCertListNode    *head = NULL;
-    CERTCertificate     *cert = NULL;
-    CERTCertificate     *tmpcert = NULL;
+    CERTCertListNode *head = NULL;
+    CERTCertificate *cert = NULL;
+    CERTCertificate *tmpcert = NULL;
     SEC_PKCS12DecoderContext *p12ctx = NULL;
     const SEC_PKCS12DecoderItem *dip;
     size_t pwdSize;
@@ -982,7 +982,6 @@ xmlSecNssAppPkcs12LoadSECItem(SECItem* secItem, const char *pwd,
             ret = xmlSecNssKeyDataX509AdoptKeyCert(x509Data, tmpcert);
             if(ret < 0) {
                 xmlSecInternalError("xmlSecNssKeyDataX509AdoptKeyCert", NULL);
-                CERT_DestroyCertificate(tmpcert);
                 goto done;
             }
             tmpcert = NULL; /* owned by x509Data now */
@@ -995,7 +994,6 @@ xmlSecNssAppPkcs12LoadSECItem(SECItem* secItem, const char *pwd,
             ret = xmlSecNssKeyDataX509AdoptCert(x509Data, tmpcert);
             if(ret < 0) {
                 xmlSecInternalError("xmlSecNssKeyDataX509AdoptCert", NULL);
-                CERT_DestroyCertificate(tmpcert);
                 goto done;
             }
             tmpcert = NULL; /* owned by x509Data now */
@@ -1053,6 +1051,9 @@ xmlSecNssAppPkcs12LoadSECItem(SECItem* secItem, const char *pwd,
     key = NULL;
 
 done:
+    if(tmpcert != NULL) {
+        CERT_DestroyCertificate(tmpcert);
+    }
     if(key != NULL) {
         xmlSecKeyDestroy(key);
     }
diff --git a/src/nss/x509.c b/src/nss/x509.c
index 099732065..98c63528e 100644
--- a/src/nss/x509.c
+++ b/src/nss/x509.c
@@ -581,7 +581,7 @@ xmlSecNssKeyDataX509Duplicate(xmlSecKeyDataPtr dst, xmlSecKeyDataPtr src) {
                     return(-1);
                 }
             }
-            cert = NULL; /* owned by dst now */
+            /* cert is owned by dst now */
         }
     }
 
@@ -1463,7 +1463,7 @@ xmlSecNssX509CrlListDuplicate(xmlSecNssX509CrlNodePtr head) {
             xmlSecNssX509CrlListDestroy(newHead);
             return(NULL);
         }
-        crl = NULL; /* owned by newHead now */
+        /* crl is owned by newHead now */
     }
 
     /* done */
diff --git a/src/openssl/app.c b/src/openssl/app.c
index 59d322475..a3984207e 100644
--- a/src/openssl/app.c
+++ b/src/openssl/app.c
@@ -892,7 +892,6 @@ xmlSecOpenSSLAppStoreKeyLoad(const char *uri, xmlSecKeyDataType type, const char
             ret = sk_X509_push(certs, cert);
             if(ret <= 0) {
                 xmlSecOpenSSLError("sk_X509_push", NULL);
-                X509_free(cert);
                 goto done;
             }
             cert = NULL; /* owned by certs now */
@@ -942,6 +941,9 @@ xmlSecOpenSSLAppStoreKeyLoad(const char *uri, xmlSecKeyDataType type, const char
     /* success! */
 
 done:
+    if(cert != NULL) {
+        X509_free(cert);
+    }
     if(pPrivKey != NULL) {
         EVP_PKEY_free(pPrivKey);
     }