diff --git a/ssl_mgmt/ssl_mgmt b/ssl_mgmt/ssl_mgmt
index 6acfc52..308ba71 100755
--- a/ssl_mgmt/ssl_mgmt
+++ b/ssl_mgmt/ssl_mgmt
@@ -278,28 +278,54 @@ generate_cert ()
 	certFile=${certPath##*/}
 	keyFile=${keyPath##*/}
 	keycertFile=${service}-keycert.pem
+
+	# Create the CSR and the key
 	openssl req -new -nodes -out $csrSubdir/$reqFile -keyout $keySubdir/$keyFile -config $opensslCnfFile
-	openssl req -in $csrSubdir/$reqFile -text -verify -noout
+	if ! openssl req -in $csrSubdir/$reqFile -text -verify -noout 2>/dev/null
+	then
+		echo "Generated CSR is corrupted." >&2
+		rm $csrSubdir/$reqFile $keySubdir/$keyFile
+		return 1
+	fi
 	if ! ask_user_default_no "Is the Certificate Signing Request correct?"
 	then
 		return 1
 	fi
 	getfacl "$keyPath" | setfacl --set-file=- $keySubdir/$keyFile
 	chown --reference="$keyPath" $keySubdir/$keyFile
-	if [ -z "$no_overwrite" ]
-	then
-		if [ ! -f "$keyDestDir/$keyFile" ]
-		then
-			echo "Error! No file named $keyFile in directory $keyDestDir:" >&2
-			echo "there might be a problem." >&2
-		fi
-		mv $keySubdir/$keyFile $keyDestDir
-	fi
+
+	# Sign the CSR to make a certificate
 	openssl ca -batch -config $opensslCnfFile -cert $CACertPath \
 		-keyfile $CAKeyPath -passin file:$rootCAPwdPath \
 		-out $certSubdir/$certFile -infiles $csrSubdir/$reqFile
 	getfacl "$certPath" | setfacl --set-file=- $certSubdir/$certFile
 	chown --reference="$certPath" $certSubdir/$certFile
+
+	# Safety check
+	if ! openssl x509 -noout -text -in $certSubdir/$certFile >/dev/null 2>&1 ||
+		! openssl verify -CAfile $CACertPath $certSubdir/$certFile >/dev/null 2>&1
+	then
+		echo "Generated certificate is corrupted." >&2
+		rm $certSubdir/$certFile $keySubdir/$keyFile
+		return 1
+	fi
+	if ! openssl rsa -noout -text -in $keySubdir/$keyFile >/dev/null 2>&1
+	then
+		echo "Generated key is corrupted." >&2
+		rm $certSubdir/$certFile $keySubdir/$keyFile
+		return 1
+	fi
+	certModulus=$(openssl x509 -noout -modulus -in $certSubdir/$certFile)
+	keyModulus=$(openssl rsa -noout -modulus -in $keySubdir/$keyFile)
+	if [ -z "$certModulus" -o "$certModulus" != "$keyModulus" ]
+	then
+		echo -n "Generated certificate and key do not match." >&2
+		echo " Aborting." >&2
+		rm $certSubdir/$certFile $keySubdir/$keyFile
+		return 1
+	fi
+
+	# Notify and install the new certificate
 	if [ -z "$no_overwrite" ]
 	then
 		if [ ! -f "$certDestDir/$certFile" ]
@@ -307,6 +333,12 @@ generate_cert ()
 			echo "No file named $certFile in directory $certDestDir:" >&2
 			echo "there might be a problem" >&2
 		fi
+		if [ ! -f "$keyDestDir/$keyFile" ]
+		then
+			echo "Error! No file named $keyFile in directory $keyDestDir:" >&2
+			echo "there might be a problem." >&2
+		fi
+		mv $keySubdir/$keyFile $keyDestDir
 		fingerprint="$(openssl x509 -in "$certPath" -noout -fingerprint)"
 		fingerprint=${fingerprint#*=}
 		if [ -n "$notifiedUsers" ]