diff --git a/platform/src/key_keeper.cpp b/platform/src/key_keeper.cpp
index b5bb73e..76756a2 100644
--- a/platform/src/key_keeper.cpp
+++ b/platform/src/key_keeper.cpp
@@ -292,6 +292,7 @@ static struct keyring_private* get_keyring_from_response(const char* data)
 			return NULL;
 		}
 		sk_X509_push(chain, chain_cert);
+		ssl_x509_refcount_inc(chain_cert);
 	}
 	struct keyring_private* _kyr= keyring_new();
 	keyring_set_cert(_kyr, cert);
@@ -328,6 +329,8 @@ static struct keyring_private* generate_x509_keyring(X509* origin_cert, int keyr
 	STACK_OF(X509)* chain = sk_X509_new_null();
 	sk_X509_push(chain, ca);
 	sk_X509_push(chain, forge_cert);
+	ssl_x509_refcount_inc(ca);
+	ssl_x509_refcount_inc(forge_cert);
 	struct keyring_private* _kyr= keyring_new();
 	keyring_set_key(_kyr, forge_key);
 	keyring_set_cert(_kyr, forge_cert);
diff --git a/platform/src/ssl_utils.cc b/platform/src/ssl_utils.cc
index 9b9daee..0e2c306 100644
--- a/platform/src/ssl_utils.cc
+++ b/platform/src/ssl_utils.cc
@@ -2033,7 +2033,7 @@ struct ssl_chello* ssl_chello_parse(const unsigned char* buff, size_t buff_len,
 		_chello->max_version.major = buff[pos];
 		_chello->max_version.minor = buff[pos+1];
 		_chello->max_version.ossl_format=(uint16_t)_chello->max_version.major<<8|_chello->max_version.minor;
-		
+
 		pos += 34;
 		/* Session ID */
     	if (pos + 1 > buff_len)
diff --git a/platform/test/test_tfe_rpc.cpp b/platform/test/test_tfe_rpc.cpp
index 0fe6e38..e687a46 100644
--- a/platform/test/test_tfe_rpc.cpp
+++ b/platform/test/test_tfe_rpc.cpp
@@ -180,6 +180,7 @@ static struct keyring* get_keyring_from_response(const char* data)
 		if(chain_cert)
 			printf("push to chain\n");
 		sk_X509_push(chain, chain_cert);
+		ssl_x509_refcount_inc(chain_cert);
 	}
 	struct keyring_private* _kyr= keyring_new();
 	printf("cert is %s", cert == NULL ? "null" : "not null\n");