diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index a883c453b..76917bae6 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -129,6 +129,7 @@ hx509_context_set_missing_revoke(hx509_context context, int flag)
 void
 hx509_context_free(hx509_context *context)
 {
+    hx509_clear_error_string(*context);
     if ((*context)->ks_ops) {
 	free((*context)->ks_ops);
 	(*context)->ks_ops = NULL;
@@ -204,12 +205,11 @@ hx509_cert_init(hx509_context context, const Certificate *c, hx509_cert *cert)
     (*cert)->release = NULL;
     (*cert)->ctx = NULL;
 
-    (*cert)->data = malloc(sizeof(*(*cert)->data));
+    (*cert)->data = calloc(1, sizeof(*(*cert)->data));
     if ((*cert)->data == NULL) {
 	free(*cert);
 	return ENOMEM;
     }
-    memset((*cert)->data, 0, sizeof(*(*cert)->data));
     ret = copy_Certificate(c, (*cert)->data);
     if (ret) {
 	free((*cert)->data);
diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c
index 264345202..2a4e87eb4 100644
--- a/lib/hx509/hxtool.c
+++ b/lib/hx509/hxtool.c
@@ -312,6 +312,7 @@ cms_unenvelope(struct cms_unenvelope_options *opt, int argc, char **argv)
 
     _hx509_unmap_file(p, sz);
     hx509_lock_free(lock);
+    hx509_certs_free(&certs);
 
     ret = _hx509_write_file(argv[1], o.data, o.length);
     if (ret)
@@ -369,6 +370,8 @@ cms_create_enveloped(struct cms_envelope_options *opt, int argc, char **argv)
     if (ret)
 	errx(1, "hx509_cms_envelope_1: %d", ret);
 
+    hx509_cert_free(cert);
+    hx509_certs_free(&certs);
     _hx509_unmap_file(p, sz);
 
     if (opt->content_info_flag) {
@@ -700,6 +703,7 @@ query(struct query_options *opt, int argc, char **argv)
     }
 
     hx509_cert_free(c);
+    hx509_certs_free(&certs);
 
     hx509_lock_free(lock);
 
@@ -767,6 +771,9 @@ ocsp_fetch(struct ocsp_fetch_options *opt, int argc, char **argv)
     if (nonce)
 	der_free_octet_string(nonce);
 
+    hx509_certs_free(&reqcerts);
+    hx509_certs_free(&pool);
+
     return 0;
 }