diff --git a/client/client_test.go b/client/client_test.go
index 5b82789118..d4d7126040 100644
--- a/client/client_test.go
+++ b/client/client_test.go
@@ -1588,19 +1588,12 @@ func TestPublishDelegations(t *testing.T) {
 // this is just a sanity test to make sure Publish calls it correctly and
 // no fallback happens.
 func TestPublishDelegationsX509(t *testing.T) {
-	var tempDirs [2]string
-	for i := 0; i < 2; i++ {
-		tempBaseDir, err := ioutil.TempDir("", "notary-test-")
-		assert.NoError(t, err, "failed to create a temporary directory: %s", err)
-		defer os.RemoveAll(tempBaseDir)
-		tempDirs[i] = tempBaseDir
-	}
-
-	gun := "docker.com/notary"
 	ts := fullTestServer(t)
 	defer ts.Close()
 
-	repo1, _ := initializeRepo(t, data.ECDSAKey, tempDirs[0], gun, ts.URL, false)
+	repo1, _ := initializeRepo(t, data.ECDSAKey, "docker.com/notary", ts.URL, false)
+	defer os.RemoveAll(repo1.baseDir)
+
 	delgKey, err := repo1.CryptoService.Create("targets/a", data.ECDSAKey)
 	assert.NoError(t, err, "error creating delegation key")
 
@@ -1633,9 +1626,8 @@ func TestPublishDelegationsX509(t *testing.T) {
 	assert.Len(t, getChanges(t, repo1), 1, "wrong number of changelist files found")
 
 	// Create a new repo and pull from the server
-	repo2, err := NewNotaryRepository(tempDirs[1], gun, ts.URL,
-		http.DefaultTransport, passphraseRetriever)
-	assert.NoError(t, err, "error creating repository: %s", err)
+	repo2 := newRepoToTestRepo(t, repo1)
+	defer os.RemoveAll(repo2.baseDir)
 
 	// pull
 	_, err = repo2.ListTargets()
diff --git a/trustmanager/keyfilestore.go b/trustmanager/keyfilestore.go
index 9e1c53d7ee..0f9d821327 100644
--- a/trustmanager/keyfilestore.go
+++ b/trustmanager/keyfilestore.go
@@ -254,7 +254,6 @@ func listKeys(s LimitedFileStore) map[string]string {
 		// read it as a PEM
 		underscoreIndex := strings.LastIndex(keyIDFull, "_")
 		if underscoreIndex == -1 {
-			keyID := keyIDFull
 			d, err := s.Get(f)
 			if err != nil {
 				logrus.Error(err)
@@ -265,7 +264,7 @@ func listKeys(s LimitedFileStore) map[string]string {
 				continue
 			}
 			if role, ok := block.Headers["role"]; ok {
-				keyIDMap[keyID] = role
+				keyIDMap[keyIDFull] = role
 			}
 		} else {
 			// The keyID is the first part of the keyname
diff --git a/trustmanager/x509utils.go b/trustmanager/x509utils.go
index 4fbbff987e..6b0bc76258 100644
--- a/trustmanager/x509utils.go
+++ b/trustmanager/x509utils.go
@@ -452,7 +452,7 @@ func EncryptPrivateKey(key data.PrivateKey, role, passphrase string) ([]byte, er
 	}
 
 	if encryptedPEMBlock.Headers == nil {
-		encryptedPEMBlock.Headers = make(map[string]string)
+		return nil, fmt.Errorf("unable to encrypt key - invalid PEM file produced")
 	}
 	encryptedPEMBlock.Headers["role"] = role