diff --git a/lib/browserid/views.js b/lib/browserid/views.js
index c39f167911ab638336cf2240a95680a130679bd8..93de723d3166c5e8c33345911f9a9a7b97705ab4 100644
--- a/lib/browserid/views.js
+++ b/lib/browserid/views.js
@@ -103,9 +103,16 @@ exports.setup = function(app) {
     })(url, REDIRECTS[url]);
   }
 
+  try {
+    const publicKey = secrets.loadPublicKey('root', config.get('var_path'));
+  } catch(e){
+    logger.error("can't read public key, exiting: " + e);
+    setTimeout(function() { process.exit(1); }, 0);
+  }
+
   // the public key
   app.get("/pk", function(req, res) {
-    res.json(config.get('public_key').toSimpleObject());
+    res.json(publicKey.toSimpleObject());
   });
 
   // vep bundle of JavaScript
diff --git a/lib/configuration.js b/lib/configuration.js
index 97b6c8d4003121f6db0b898113f015dd14c1c020..c6afb609e635065975d5857eb1c8d3bcaaed4529 100644
--- a/lib/configuration.js
+++ b/lib/configuration.js
@@ -219,8 +219,6 @@ g_config['express_log_format'] = (exports.get('env') === 'production' ? 'default
 // on the path, we'll use that, otherwise we'll name it 'ephemeral'.
 g_config['process_type'] = path.basename(process.argv[1], ".js");
 
-g_config['public_key'] = secrets.loadPublicKey('root', exports.get('var_path'));
-
 // only allow the dbwriter process to write to the database (or the unit tests)
 g_config.database.may_write = (g_config.process_type === 'dbwriter' ||
                                g_config.process_type === 'vows' ||
diff --git a/lib/keysigner/ca.js b/lib/keysigner/ca.js
index 85a1215e30bf8cc211d8424e95c38cf85b63d453..8150c2022f16db6b60864bdfa5d4f447ba4cc03a 100644
--- a/lib/keysigner/ca.js
+++ b/lib/keysigner/ca.js
@@ -47,11 +47,11 @@ var jwcert = require('jwcrypto/jwcert'),
 
 var HOSTNAME = config.get('hostname');
 
-const secret_key = secrets.loadSecretKey('root', config.get('var_path'));
-
-if (!secret_key) {
-  logger.error("no secret key read from " + config.get('var_path') +
-               " can't continue");
+try {
+  const secret_key = secrets.loadSecretKey('root', config.get('var_path'));
+  const public_key = secrets.loadPublicKey('root', config.get('var_path'));
+} catch(e){
+  logger.error("can't read keys, exiting: " + e);
   setTimeout(function() { process.exit(1); }, 0);
 }
 
@@ -89,4 +89,4 @@ exports.certify = certify;
 exports.verifyChain = verifyChain;
 exports.parsePublicKey = parsePublicKey;
 exports.parseCert = parseCert;
-exports.PUBLIC_KEY = config.get('public_key');
+exports.PUBLIC_KEY = public_key;
diff --git a/lib/secrets.js b/lib/secrets.js
index 41d53d0244f928295f267b0bf0ba5dc9d5c0689d..b3ca9ad06b5502a2b8b95de295e1a584c207a9ef 100644
--- a/lib/secrets.js
+++ b/lib/secrets.js
@@ -68,7 +68,8 @@ exports.loadSecretKey = function(name, dir) {
   var fileExists = false;
   var secret = undefined;
 
-  try{ secret = fs.readFileSync(p).toString(); } catch(e) {};
+  // may throw
+  secret = fs.readFileSync(p).toString();
 
   if (secret === undefined) {
     return null;
@@ -83,7 +84,8 @@ exports.loadPublicKey = function(name, dir) {
   var fileExists = false;
   var secret = undefined;
 
-  try{ secret = fs.readFileSync(p).toString(); } catch(e) {};
+  // may throw
+  secret = fs.readFileSync(p).toString();
 
   if (secret === undefined) {
     return null;
diff --git a/lib/verifier/certassertion.js b/lib/verifier/certassertion.js
index 618867087547fb0c89ebf9bb498a9292815116d6..44d113f31417598501ab1a092bdbd119052a6960 100644
--- a/lib/verifier/certassertion.js
+++ b/lib/verifier/certassertion.js
@@ -45,15 +45,23 @@ jwk = require("jwcrypto/jwk"),
 jwt = require("jwcrypto/jwt"),
 jwcert = require("jwcrypto/jwcert"),
 vep = require("jwcrypto/vep"),
-config = require("../../lib/configuration.js"),
-logger = require("../../lib/logging.js").logger;
+config = require("../configuration.js"),
+logger = require("../logging.js").logger,
+secrets = require('../secrets.js');
 
 const HOSTMETA_URL = "/.well-known/host-meta";
 
 var publicKeys = {};
 
-// set up some default public keys
-publicKeys[config.get('hostname')] = config.get('public_key');
+try {
+  const publicKey = secrets.loadPublicKey('root', config.get('var_path'));
+} catch(e){
+  logger.error("can't read public key, exiting: " + e);
+  setTimeout(function() { process.exit(1); }, 0);
+}
+
+publicKeys[config.get('hostname')] = publicKey;
+
 logger.debug("pre-seeded public key cache with key for " +
              config.get('hostname'));