diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/AndroidCertificatePal.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/AndroidCertificatePal.cs
index 1a12654cac48bd..dd208147371fa5 100644
--- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/AndroidCertificatePal.cs
+++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/AndroidCertificatePal.cs
@@ -575,17 +575,14 @@ public void AppendPrivateKeyInfo(StringBuilder sb)
 
         public void Dispose()
         {
-            if (_privateKey != null)
-            {
-                _privateKey.Dispose();
-                _privateKey = null;
-            }
+            _privateKey?.Dispose();
+            _privateKey = null;
 
-            if (_cert != null)
-            {
-                _cert.Dispose();
-                _cert = null!;
-            }
+            _keyStorePrivateKeyEntry?.Dispose();
+            _keyStorePrivateKeyEntry = null;
+
+            _cert?.Dispose();
+            _cert = null!;
         }
 
         public byte[] Export(X509ContentType contentType, SafePasswordHandle password)
diff --git a/src/native/libs/System.Security.Cryptography.Native.Android/pal_x509store.c b/src/native/libs/System.Security.Cryptography.Native.Android/pal_x509store.c
index d66617f2d64aef..83ef030694ba70 100644
--- a/src/native/libs/System.Security.Cryptography.Native.Android/pal_x509store.c
+++ b/src/native/libs/System.Security.Cryptography.Native.Android/pal_x509store.c
@@ -273,6 +273,7 @@ EnumerateCertificates(JNIEnv* env, jobject /*KeyStore*/ store, EnumCertificatesC
     //     }
     // }
     jboolean hasNext = (*env)->CallBooleanMethod(env, aliases, g_EnumerationHasMoreElements);
+    ON_EXCEPTION_PRINT_AND_GOTO(cleanup);
     while (hasNext)
     {
         INIT_LOCALS(loc, alias, entry, cert, publicKey, privateKey);
@@ -311,6 +312,7 @@ EnumerateCertificates(JNIEnv* env, jobject /*KeyStore*/ store, EnumCertificatesC
         RELEASE_LOCALS(loc, env);
 
         hasNext = (*env)->CallBooleanMethod(env, aliases, g_EnumerationHasMoreElements);
+        ON_EXCEPTION_PRINT_AND_GOTO(cleanup);
     }
 
     ret = SUCCESS;
@@ -365,31 +367,34 @@ ARGS_NON_NULL_ALL static int32_t EnumerateTrustedCertificates(
     //     }
     // }
     jboolean hasNext = (*env)->CallBooleanMethod(env, aliases, g_EnumerationHasMoreElements);
+    ON_EXCEPTION_PRINT_AND_GOTO(cleanup);
     while (hasNext)
     {
+        jobject cert = NULL;
         jstring alias = (*env)->CallObjectMethod(env, aliases, g_EnumerationNextElement);
         ON_EXCEPTION_PRINT_AND_GOTO(loop_cleanup);
 
         if (filter == NULL || filter(env, alias))
         {
-            jobject cert = (*env)->CallObjectMethod(env, store, g_KeyStoreGetCertificate, alias);
-            if (cert != NULL && !CheckJNIExceptions(env))
+            cert = (*env)->CallObjectMethod(env, store, g_KeyStoreGetCertificate, alias);
+            if (!CheckJNIExceptions(env) && cert != NULL)
             {
-                cert = ToGRef(env, cert);
-                cb(cert, context);
+                cb(AddGRef(env, cert), context);
             }
         }
 
-        hasNext = (*env)->CallBooleanMethod(env, aliases, g_EnumerationHasMoreElements);
-
     loop_cleanup:
-        (*env)->DeleteLocalRef(env, alias);
+        ReleaseLRef(env, cert);
+        ReleaseLRef(env, alias);
+
+        hasNext = (*env)->CallBooleanMethod(env, aliases, g_EnumerationHasMoreElements);
+        ON_EXCEPTION_PRINT_AND_GOTO(cleanup);
     }
 
     ret = SUCCESS;
 
 cleanup:
-    (*env)->DeleteLocalRef(env, aliases);
+    ReleaseLRef(env, aliases);
     return ret;
 }
 
@@ -431,9 +436,11 @@ jobject /*KeyStore*/ AndroidCryptoNative_X509StoreOpenDefault(void)
     (*env)->CallVoidMethod(env, store, g_KeyStoreLoad, NULL, NULL);
     ON_EXCEPTION_PRINT_AND_GOTO(cleanup);
     ret = ToGRef(env, store);
+    store = NULL;
 
 cleanup:
-    (*env)->DeleteLocalRef(env, storeType);
+    ReleaseLRef(env, store);
+    ReleaseLRef(env, storeType);
     return ret;
 }
 
@@ -444,19 +451,23 @@ int32_t AndroidCryptoNative_X509StoreRemoveCertificate(jobject /*KeyStore*/ stor
     abort_if_invalid_pointer_argument (store);
 
     JNIEnv* env = GetJNIEnv();
+    int32_t ret = FAIL;
 
     jstring alias = make_java_string(env, hashString);
     if (!ContainsMatchingCertificateForAlias(env, store, cert, alias))
     {
         // Certificate is not in store - nothing to do
-        return SUCCESS;
+        ret = SUCCESS;
+        goto cleanup;
     }
 
     // store.deleteEntry(alias);
     (*env)->CallVoidMethod(env, store, g_KeyStoreDeleteEntry, alias);
+    ret = CheckJNIExceptions(env) ? FAIL : SUCCESS;
 
-    (*env)->DeleteLocalRef(env, alias);
-    return CheckJNIExceptions(env) ? FAIL : SUCCESS;
+cleanup:
+    ReleaseLRef(env, alias);
+    return ret;
 }
 
 jobject AndroidCryptoNative_X509StoreGetPrivateKeyEntry(jobject /*KeyStore*/ store, const char* hashString)