diff --git a/platform/src/key_keeper.cpp b/platform/src/key_keeper.cpp
index 1124c1d..a8612ac 100644
--- a/platform/src/key_keeper.cpp
+++ b/platform/src/key_keeper.cpp
@@ -234,7 +234,7 @@ static void err_out(X509* cert, EVP_PKEY* key, STACK_OF(X509)* chain)
 	return;
 }
 
-static struct keyring* get_keyring_from_response(const char* data)
+static struct keyring_private* get_keyring_from_response(const char* data)
 {
 	X509* cert = NULL;
 	EVP_PKEY* key = NULL;
@@ -300,7 +300,7 @@ static struct keyring* get_keyring_from_response(const char* data)
 	X509_free(cert);
 	EVP_PKEY_free(key);
 	sk_X509_pop_free(chain, X509_free);
-	return &(_kyr->head);
+	return _kyr;
 }
 
 static long keyring_local_cache_query_cb(void * data, const uchar * key, uint size, void * user_arg)
@@ -356,13 +356,15 @@ static void certstore_rpc_on_succ(void* result, void* user)
 	if(status_code == HTTP_OK)
 	{
 		*(data+len) = '\0';
-		struct keyring* kyr= get_keyring_from_response(data);
-		promise_success(p, (void*)kyr);
+		struct keyring_private* kyr= get_keyring_from_response(data);
+		keyring_ref_inc(kyr);
 		int ret = MESA_htable_add(htable, key, key_len, (void*)kyr);
 		if(ret<0)
 		{
 			key_keeper_free_keyring((struct keyring*)kyr);
 		}
+		promise_success(p, (void*)kyr);
+		key_keeper_free_keyring((struct keyring*)kyr);
 	}
 	else
 	{
@@ -516,15 +518,17 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const c
 			{
 				filename = keeper->untrusted_ca_path;
 			}
-			struct keyring_private* ring = generate_x509_keyring(origin_cert, keyring_id, filename);
-			if(ring)
+			struct keyring_private* kyr = generate_x509_keyring(origin_cert, keyring_id, filename);
+			if(kyr)
 			{
-				promise_success(p, (void*)ring);
-				int ret = MESA_htable_add(ctx->htable, ctx->key, ctx->key_len, (void*)ring);
-				if(ret<0)
+				keyring_ref_inc(kyr);
+				int ret = MESA_htable_add(ctx->htable, ctx->key, ctx->key_len, (void*)kyr);
+				if(ret < 0)
 				{
-					key_keeper_free_keyring((struct keyring*)ring);
+					key_keeper_free_keyring((struct keyring*)kyr);
 				}
+				promise_success(p, (void*)kyr);
+				key_keeper_free_keyring((struct keyring*)kyr);
 			}
 			else
 			{