diff --git a/bin/browserid b/bin/browserid
index 985da85a5ffa827dd4b506301a00a072ae3f2492..5651b70ab405a17a66710c44df1a3a0a15bed8a9 100755
--- a/bin/browserid
+++ b/bin/browserid
@@ -46,7 +46,6 @@ express = require('express');
 
 const
 wsapi = require('../lib/browserid/wsapi.js'),
-ca = require('../lib/browserid/ca.js'),
 httputils = require('../lib/httputils.js'),
 secrets = require('../lib/secrets.js'),
 db = require('../lib/db.js'),
@@ -185,7 +184,7 @@ function router(app) {
 
   // the public key
   app.get("/pk", function(req, res) {
-    res.json(ca.PUBLIC_KEY.toSimpleObject());
+    res.json(config.get('public_key').toSimpleObject());
   });
 
   // vep bundle of JavaScript
diff --git a/lib/browserid/ca.js b/lib/browserid/ca.js
deleted file mode 100644
index be126993d5d81f653aa69da512fff24a20040845..0000000000000000000000000000000000000000
--- a/lib/browserid/ca.js
+++ /dev/null
@@ -1,82 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is Mozilla BrowserID.
- *
- * The Initial Developer of the Original Code is Mozilla.
- * Portions created by the Initial Developer are Copyright (C) 2011
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *     Ben Adida <benadida@mozilla.com>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-// certificate authority
-
-var jwcert = require('jwcrypto/jwcert'),
-    jwk = require('jwcrypto/jwk'),
-    jws = require('jwcrypto/jws'),
-    config = require('../configuration.js'),
-    path = require("path"),
-    fs = require("fs");
-
-var HOSTNAME = config.get('hostname');
-
-function parsePublicKey(serializedPK) {
-  return jwk.PublicKey.deserialize(serializedPK);
-}
-
-function parseCert(serializedCert) {
-  var cert = new jwcert.JWCert();
-  cert.parse(serializedCert);
-  return cert;
-}
-
-function certify(email, publicKey, expiration) {
-  if (expiration == null)
-    throw "expiration cannot be null";
-  return new jwcert.JWCert(HOSTNAME, expiration, publicKey, {email: email}).sign(config.get('secret_key'));
-}
-
-function verifyChain(certChain, cb) {
-  // raw certs
-  return jwcert.JWCert.verifyChain(
-    certChain, new Date(),
-    function(issuer, next) {
-      // for now we only do browserid.org issued keys
-      if (issuer != HOSTNAME)
-        return next(null);
-
-      next(exports.PUBLIC_KEY);
-    }, cb);
-}
-
-// exports, not the key stuff
-exports.certify = certify;
-exports.verifyChain = verifyChain;
-exports.parsePublicKey = parsePublicKey;
-exports.parseCert = parseCert;
-exports.PUBLIC_KEY = config.get('public_key');
diff --git a/lib/browserid/wsapi.js b/lib/browserid/wsapi.js
index 5194a066a2eef16993b8af7aeb14a27c57ce591f..a76778e8ab69fc74c3cb4b1615e2fb9982bcc595 100644
--- a/lib/browserid/wsapi.js
+++ b/lib/browserid/wsapi.js
@@ -46,7 +46,6 @@ email = require('./email.js'),
 bcrypt = require('bcrypt'),
 crypto = require('crypto'),
 logger = require('../logging.js').logger,
-ca = require('./ca.js'),
 config = require('../configuration.js'),
 validate = require('../validate'),
 forward = require('./http_forward.js');
diff --git a/lib/configuration.js b/lib/configuration.js
index da7982c4415a1a4518d97c51965927241305cc92..22cd848c6e054091b60194ac5bcfb2b64ba0d19c 100644
--- a/lib/configuration.js
+++ b/lib/configuration.js
@@ -209,7 +209,6 @@ g_config['express_log_format'] = (exports.get('env') === 'production' ? 'default
 // on the path, we'll use that, otherwise we'll name it 'ephemeral'.
 g_config['process_type'] = path.basename(process.argv[1], ".js");
 
-g_config['secret_key'] = secrets.loadSecretKey('root', exports.get('var_path'));
 g_config['public_key'] = secrets.loadPublicKey('root', exports.get('var_path'));
 
 // log the process_type
diff --git a/lib/keysigner/ca.js b/lib/keysigner/ca.js
index e5fe4f884a312c6167dada7a8d8fca422dd6522e..31c95068c502f2f21c6105909f351f90698422f8 100644
--- a/lib/keysigner/ca.js
+++ b/lib/keysigner/ca.js
@@ -41,10 +41,13 @@ var jwcert = require('jwcrypto/jwcert'),
     jws = require('jwcrypto/jws'),
     path = require("path"),
     fs = require("fs"),
-    config = require('../configuration.js');
+    config = require('../configuration.js'),
+    secrets = require('../secrets.js');
 
 var HOSTNAME = config.get('hostname');
 
+const secret_key =  secrets.loadSecretKey('root', config.get('var_path'));
+
 function parsePublicKey(serializedPK) {
   return jwk.PublicKey.deserialize(serializedPK);
 }
@@ -58,7 +61,7 @@ function parseCert(serializedCert) {
 function certify(email, publicKey, expiration) {
   if (expiration == null)
     throw "expiration cannot be null";
-  return new jwcert.JWCert(HOSTNAME, expiration, publicKey, {email: email}).sign(config.get('secret_key'));
+  return new jwcert.JWCert(HOSTNAME, expiration, publicKey, {email: email}).sign(secret_key);
 }
 
 function verifyChain(certChain, cb) {
diff --git a/tests/ca-test.js b/tests/ca-test.js
index 959da66421edd220f45d46ea01ca0200ba03dc5f..7336c88a0491a07dda1ed4bb8057b1cb825030d9 100755
--- a/tests/ca-test.js
+++ b/tests/ca-test.js
@@ -42,7 +42,7 @@ vows = require('vows'),
 start_stop = require('./lib/start-stop.js'),
 wsapi = require('./lib/wsapi.js'),
 email = require('../lib/browserid/email.js'),
-ca = require('../lib/browserid/ca.js'),
+ca = require('../lib/keysigner/ca.js'),
 jwcert = require('jwcrypto/jwcert'),
 jwk = require('jwcrypto/jwk'),
 jws = require('jwcrypto/jws');
diff --git a/tests/cert-emails-test.js b/tests/cert-emails-test.js
index 3155c85bbcef83751db77d8f49adf9d8d6ac20e1..e8c313a2553b15243cf6f72a2f0d147fb5537371 100755
--- a/tests/cert-emails-test.js
+++ b/tests/cert-emails-test.js
@@ -42,7 +42,7 @@ vows = require('vows'),
 start_stop = require('./lib/start-stop.js'),
 wsapi = require('./lib/wsapi.js'),
 email = require('../lib/browserid/email.js'),
-ca = require('../lib/browserid/ca.js'),
+ca = require('../lib/keysigner/ca.js'),
 jwcert = require('jwcrypto/jwcert'),
 jwk = require('jwcrypto/jwk'),
 jws = require('jwcrypto/jws'),
diff --git a/tests/cookie-session-security-test.js b/tests/cookie-session-security-test.js
index 9070a55cd3536f2548efa1ea08f5490f9d06a831..17705ed9d492581b13a688612856d5daae022a11 100755
--- a/tests/cookie-session-security-test.js
+++ b/tests/cookie-session-security-test.js
@@ -43,7 +43,6 @@ start_stop = require('./lib/start-stop.js'),
 wsapi = require('./lib/wsapi.js'),
 wcli = require('../lib/wsapi_client.js');
 email = require('../lib/browserid/email.js'),
-ca = require('../lib/browserid/ca.js'),
 jwcert = require('jwcrypto/jwcert'),
 jwk = require('jwcrypto/jwk'),
 jws = require('jwcrypto/jws');