diff --git a/clc/modules/walrus/src/main/java/edu/ucsb/eucalyptus/cloud/ws/WalrusImageManager.java b/clc/modules/walrus/src/main/java/edu/ucsb/eucalyptus/cloud/ws/WalrusImageManager.java
index 87914bf1c67..ac02631c8ba 100644
--- a/clc/modules/walrus/src/main/java/edu/ucsb/eucalyptus/cloud/ws/WalrusImageManager.java
+++ b/clc/modules/walrus/src/main/java/edu/ucsb/eucalyptus/cloud/ws/WalrusImageManager.java
@@ -232,11 +232,12 @@ private String decryptImage(String bucketName, String objectKey, String userId,
 						try {
 							boolean verified = false;
 							for(User user:Users.listAllUsers( )) {
-								X509Certificate cert = user.getX509Certificate( );
-								if(cert != null)
-									verified = canVerifySignature(sigVerifier, cert, signature, verificationString);
-								if(verified)
-									break;
+								for (X509Certificate cert : user.getAllX509Certificates()) {
+									if(cert != null)
+										verified = canVerifySignature(sigVerifier, cert, signature, verificationString);
+									if(verified)
+										break;
+								}
 							}
 							if(!verified) {
 								X509Certificate cert = SystemCredentialProvider.getCredentialProvider(Component.eucalyptus).getCertificate();
@@ -260,8 +261,13 @@ private String decryptImage(String bucketName, String objectKey, String userId,
 							throw new AccessDeniedException(userId,e);            
 						}         
 						try {
-							X509Certificate cert = user.getX509Certificate( );
-							signatureVerified = canVerifySignature(sigVerifier, cert, signature, verificationString);
+							for(X509Certificate cert : user.getAllX509Certificates()) {
+								if(cert != null) {
+									signatureVerified = canVerifySignature(sigVerifier, cert, signature, verificationString);
+								}
+								if(signatureVerified)
+									break;
+							}
 						} catch(Exception ex) {
 							db.rollback();
 							LOG.error(ex, ex);
@@ -516,7 +522,12 @@ private synchronized void cacheImage(String bucketName, String manifestKey, Stri
 		ImageCacher imageCacher = imageCachers.putIfAbsent(bucketName + manifestKey, new ImageCacher(bucketName, manifestKey, decryptedImageKey));
 		if(imageCacher == null) {
 			if(decryptedImageKey == null) {
-				decryptedImageKey = decryptImage(bucketName, manifestKey, userId, isAdministrator);
+				try {
+					decryptedImageKey = decryptImage(bucketName, manifestKey, userId, isAdministrator);
+				} catch(EucalyptusCloudException ex) {
+					imageCachers.remove(bucketName + manifestKey);
+					throw ex;
+				}
 				//decryption worked. Add it.
 				ImageCacheInfo foundImageCacheInfo = new ImageCacheInfo(bucketName, manifestKey);
 				foundImageCacheInfo.setImageName(decryptedImageKey);