diff --git a/src/sbbs3/js_socket.c b/src/sbbs3/js_socket.c
index 4d7a209f8d4d76bc549019e43620796cbddda7f8..b3cbf07c61ba97d35c64ddaca592a444d295c6c1 100644
--- a/src/sbbs3/js_socket.c
+++ b/src/sbbs3/js_socket.c
@@ -2369,8 +2369,10 @@ static JSBool js_socket_set(JSContext *cx, JSObject *obj, jsid id, JSBool strict
 											}
 										}
 										lock_ssl_cert();
-										if (scfg->tls_certificate == -1)
+										if (scfg->tls_certificate == -1) {
+											unlock_ssl_cert();
 											ret = CRYPT_ERROR_NOTAVAIL;
+										}
 										else {
 											ret = cryptSetAttribute(p->session, CRYPT_SESSINFO_PRIVATEKEY, scfg->tls_certificate);
 											if (ret != CRYPT_OK) {
@@ -2384,7 +2386,8 @@ static JSBool js_socket_set(JSContext *cx, JSObject *obj, jsid id, JSBool strict
 									if((ret=do_cryptAttribute(p->session, CRYPT_SESSINFO_ACTIVE, 1))!=CRYPT_OK) {
 										GCES(ret, p, estr, "setting session active");
 									}
-									unlock_ssl_cert();
+									if (tiny != SOCK_PROP_SSL_SESSION)
+										unlock_ssl_cert();
 								}
 							}
 						}
diff --git a/src/sbbs3/websrvr.c b/src/sbbs3/websrvr.c
index a325e318004b3543eb31dfe1be524dca187ebc11..4c96b544e7362c23eb4aec0cda1443e4595dbe3b 100644
--- a/src/sbbs3/websrvr.c
+++ b/src/sbbs3/websrvr.c
@@ -7243,10 +7243,10 @@ void web_server(void* arg)
 			do_cryptInit(); // Must be called by someone before lock_ssl_cert()
 			lock_ssl_cert();
 			if(scfg.tls_certificate != -1) {
-				unlock_ssl_cert();
 				// Init was already called or tls_certificate would be -1...
 				if(do_cryptInit())
 					xpms_add_list(ws_set, PF_UNSPEC, SOCK_STREAM, 0, startup->tls_interfaces, startup->tls_port, "Secure Web Server", open_socket, startup->seteuid, "TLS");
+				unlock_ssl_cert();
 			}
 			else {
 				unlock_ssl_cert();