diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index 2c5724f7c..0d99a748f 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -971,7 +971,7 @@ check_key_usage(hx509_context context, const Certificate *cert,
     size_t size;
     int ret;
     size_t i = 0;
-    unsigned ku_flags;
+    uint64_t ku_flags;
 
     if (_hx509_cert_get_version(cert) < 3)
 	return 0;
@@ -992,14 +992,16 @@ check_key_usage(hx509_context context, const Certificate *cert,
 	return ret;
     ku_flags = KeyUsage2int(ku);
     if ((ku_flags & flags) != flags) {
-	unsigned missing = (~ku_flags) & flags;
+	uint64_t missing = (~ku_flags) & flags;
 	char buf[256], *name;
 
-	unparse_flags(missing, asn1_KeyUsage_units(), buf, sizeof(buf));
+	int result = unparse_flags(missing, asn1_KeyUsage_units(),
+				   buf, sizeof(buf));
 	_hx509_unparse_Name(&cert->tbsCertificate.subject, &name);
 	hx509_set_error_string(context, 0, HX509_KU_CERT_MISSING,
 			       "Key usage %s required but missing "
-			       "from certificate %s", buf,
+			       "from certificate %s",
+			       (result > 0) ? buf : "<unknown>",
                                name ? name : "<unknown>");
 	free(name);
 	return HX509_KU_CERT_MISSING;
diff --git a/lib/hx509/ks_p11.c b/lib/hx509/ks_p11.c
index 289fb4ecc..265523b38 100644
--- a/lib/hx509/ks_p11.c
+++ b/lib/hx509/ks_p11.c
@@ -38,7 +38,7 @@
 #include "ref/pkcs11.h"
 
 struct p11_slot {
-    int flags;
+    uint64_t flags;
 #define P11_SESSION		1
 #define P11_SESSION_IN_USE	2
 #define P11_LOGIN_REQ		4