diff --git a/security/nss/cmd/signtool/certgen.c b/security/nss/cmd/signtool/certgen.c
index 724ce93e125..4687a7841f2 100644
--- a/security/nss/cmd/signtool/certgen.c
+++ b/security/nss/cmd/signtool/certgen.c
@@ -108,6 +108,7 @@ GenerateCert(char *nickname, int keysize, char *token)
 
 	if(cert) {
 		output_ca_cert(cert, db);
+		CERT_DestroyCertificate(cert);
 	}
 
 	PORT_Free(subject);
@@ -340,6 +341,8 @@ GenerateSelfSignedObjectSigningCert(char *nickname, CERTCertDBHandle *db,
 
 	/* !!! Free memory ? !!! */
 	PK11_FreeSlot(slot);
+	SECKEY_DestroyPrivateKey(privk);
+	SECKEY_DestroyPublicKey(pubk);
 
 	return cert;
 }
@@ -670,11 +673,13 @@ output_ca_cert (CERTCertificate *cert, CERTCertDBHandle *db)
   certChain = SEC_PKCS7CreateCertsOnly (cert, PR_TRUE, db);
   encodedCertChain 
      = SEC_PKCS7EncodeItem (NULL, NULL, certChain, NULL, NULL, NULL);
+  SEC_PKCS7DestroyContentInfo (certChain);
 
   if (encodedCertChain) 
     {
     fprintf(out, "Content-type: application/x-x509-ca-cert\n\n");
     fwrite (encodedCertChain->data, 1, encodedCertChain->len, out);
+    SECITEM_FreeItem(encodedCertChain, PR_TRUE);
     }
   else {
     PR_fprintf(errorFD, "%s: Can't DER encode this certificate\n", PROGRAM_NAME);
diff --git a/security/nss/cmd/signtool/sign.c b/security/nss/cmd/signtool/sign.c
index ae732644a6a..59323c92dfa 100644
--- a/security/nss/cmd/signtool/sign.c
+++ b/security/nss/cmd/signtool/sign.c
@@ -267,6 +267,7 @@ create_pk7 (char *dir, char *keyName, int *keyType)
 
   status = SignFile (out, in, cert);
 
+  CERT_DestroyCertificate (cert);
   fclose (in);
   fclose (out);
 
@@ -293,6 +294,7 @@ jar_find_key_type (CERTCertificate *cert)
 {
   PK11SlotInfo *slot = NULL;
   SECKEYPrivateKey *privk = NULL;
+  KeyType keyType;
 
   /* determine its type */
   PK11_FindObjectForCert (cert, /*wincx*/ NULL, &slot);
@@ -305,6 +307,7 @@ jar_find_key_type (CERTCertificate *cert)
     }
 
   privk = PK11_FindPrivateKeyFromCert (slot, cert, /*wincx*/ NULL);
+  PK11_FreeSlot (slot);
 
   if (privk == NULL)
     {
@@ -313,7 +316,9 @@ jar_find_key_type (CERTCertificate *cert)
     return 0;
     }
 
-  return privk->keyType;
+  keyType = privk->keyType;
+  SECKEY_DestroyPrivateKey (privk);
+  return keyType;
   }
 
 
diff --git a/security/nss/cmd/signtool/signtool.c b/security/nss/cmd/signtool/signtool.c
index 77f55980b7d..4e023682503 100644
--- a/security/nss/cmd/signtool/signtool.c
+++ b/security/nss/cmd/signtool/signtool.c
@@ -1044,6 +1044,11 @@ cleanup:
 		PR_Close(outputFD);
 	}
 	rm_dash_r(TMP_OUTPUT);
+	if (retval == 0) {
+		if (NSS_Shutdown() != SECSuccess) {
+			exit(1);
+		}
+	}
   return retval;
 }