diff --git a/scripts/base/files/x509/main.zeek b/scripts/base/files/x509/main.zeek
index 10c5a51946..65713f243e 100644
--- a/scripts/base/files/x509/main.zeek
+++ b/scripts/base/files/x509/main.zeek
@@ -214,14 +214,11 @@ event file_hash(f: fa_file, kind: string, hash: string)
 	if ( ! f?$info || "X509" !in f$info$analyzers || kind != "sha256" )
 		return;
 
-	if ( caching_required_encounters == 0 )
+	if ( caching_required_encounters == 0 || hash in certificate_cache )
 		return;
 
 	if ( hash !in certificates_encountered )
-		certificates_encountered[hash] = 0;
-
-	certificates_encountered[hash] += 1;
-
-	if ( certificates_encountered[hash] < caching_required_encounters )
-		return;
+		certificates_encountered[hash] = 1;
+	else
+		certificates_encountered[hash] += 1;
 	}
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 91b24395b4..eb456bf2aa 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -19,8 +19,6 @@
 #include <openssl/opensslconf.h>
 #include <openssl/err.h>
 
-#include <iostream>
-
 using namespace file_analysis;
 
 file_analysis::X509::X509(RecordVal* args, file_analysis::File* file)
@@ -64,8 +62,7 @@ bool file_analysis::X509::EndOfFile()
 			val_list vl(2);
 			vl.push_back(GetFile()->GetVal()->Ref());
 			vl.push_back(new StringVal(cert_sha256));
-			Val* v = cache_hit_callback->Call(&vl);
-			Unref(v);
+			IntrusivePtr<Val> v{AdoptRef{}, cache_hit_callback->Call(&vl)};
 			return false;
 			}
 		}
diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h
index c3dfea9554..56d12da2c3 100644
--- a/src/file_analysis/analyzer/x509/X509.h
+++ b/src/file_analysis/analyzer/x509/X509.h
@@ -117,13 +117,13 @@ public:
 	 * Sets the table[string] that used as the certificate cache inside of Zeek.
 	 */
 	static void SetCertificateCache(IntrusivePtr<TableVal> cache)
-		{ certificate_cache = cache; }
+		{ certificate_cache = std::move(cache); }
 
 	/**
 	 * Sets the callback when a certificate cache hit is encountered
 	 */
 	static void SetCertificateCacheHitCallback(IntrusivePtr<Func> func)
-		{ cache_hit_callback = func; }
+		{ cache_hit_callback = std::move(func); }
 
 protected:
 	X509(RecordVal* args, File* file);
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 5ec3dba67e..222a3097c7 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -902,7 +902,7 @@ function x509_set_certificate_cache%(tbl: string_any_table%) : bool
 	%{
 	file_analysis::X509::SetCertificateCache({NewRef{}, tbl->AsTableVal()});
 
-	return val_mgr->GetBool(1);
+	return val_mgr->GetTrue();
 	%}
 
 ## This function sets up the callback that is called when an entry is matched against the table set
@@ -920,5 +920,5 @@ function x509_set_certificate_cache_hit_callback%(f: string_file_hook%) : bool
 	%{
 	file_analysis::X509::SetCertificateCacheHitCallback({NewRef{}, f->AsFunc()});
 
-	return val_mgr->GetBool(1);
+	return val_mgr->GetTrue();
 	%}