diff --git a/certman.sh b/certman.sh
index 0798e43..acbd38c 100755
--- a/certman.sh
+++ b/certman.sh
@@ -125,13 +125,17 @@ download_and_verify_cert() {
     fi
 
     # Validate certificate and key match
-    local cert_fingerprint
+    local cert_fingerprint key_fingerprint
     cert_fingerprint=$(openssl x509 -in "$temp_cert" -noout -pubkey |
-        openssl pkey -pubin -outform DER 2>/dev/null |
-        openssl dgst -sha256)
-    local key_fingerprint
-    key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER 2>/dev/null |
-        openssl dgst -sha256)
+        openssl pkey -pubin -outform DER |
+        openssl dgst -sha256) || true
+    key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER |
+        openssl dgst -sha256) || true
+
+    if [ -z "$cert_fingerprint" ] || [ -z "$key_fingerprint" ]; then
+        echo -e "${RED}Failed to extract fingerprints for $domain${NC}"
+        return 1
+    fi
 
     if [ "$cert_fingerprint" != "$key_fingerprint" ]; then
         echo -e "${RED}Certificate and key do not match for $domain${NC}"
@@ -141,9 +145,13 @@ download_and_verify_cert() {
     if [ "$FULLCHAIN_PEM" = "true" ]; then
         local pem_fingerprint
         pem_fingerprint=$(openssl x509 -in "$temp_pem" -noout -pubkey |
-            openssl pkey -pubin -outform DER 2>/dev/null |
-            openssl dgst -sha256)
-        if [[ "$cert_fingerprint" != "$pem_fingerprint" ]]; then
+            openssl pkey -pubin -outform DER |
+            openssl dgst -sha256) || true
+        if [ -z "$pem_fingerprint" ]; then
+            echo -e "${RED}Failed to extract PEM fingerprint for $domain${NC}"
+            return 1
+        fi
+        if [ "$cert_fingerprint" != "$pem_fingerprint" ]; then
             echo -e "${RED}Certificate and PEM file do not match for $domain${NC}"
             return 1
         fi