diff --git a/cert.go b/cert.go
index e444a8d..fcecee8 100644
--- a/cert.go
+++ b/cert.go
@@ -245,7 +245,7 @@ func (m *mkcert) makeCertFromCSR() {
 
 // loadCA will load or create the CA at CAROOT.
 func (m *mkcert) loadCA() {
-	if _, err := os.Stat(filepath.Join(m.CAROOT, rootName)); os.IsNotExist(err) {
+	if !pathExists(filepath.Join(m.CAROOT, rootName)) {
 		m.newCA()
 	} else {
 		log.Printf("Using the local CA at \"%s\" ✨\n", m.CAROOT)
@@ -260,7 +260,7 @@ func (m *mkcert) loadCA() {
 	m.caCert, err = x509.ParseCertificate(certDERBlock.Bytes)
 	fatalIfErr(err, "failed to parse the CA certificate")
 
-	if _, err := os.Stat(filepath.Join(m.CAROOT, rootKeyName)); os.IsNotExist(err) {
+	if !pathExists(filepath.Join(m.CAROOT, rootKeyName)) {
 		return // keyless mode, where only -install works
 	}
 
diff --git a/main.go b/main.go
index 15f247a..8f26aad 100644
--- a/main.go
+++ b/main.go
@@ -14,6 +14,7 @@ import (
 	"net"
 	"net/mail"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"regexp"
 	"runtime"
@@ -330,3 +331,13 @@ func fatalIfCmdErr(err error, cmd string, out []byte) {
 		log.Fatalf("ERROR: failed to execute \"%s\": %s\n\n%s\n", cmd, err, out)
 	}
 }
+
+func pathExists(path string) bool {
+	_, err := os.Stat(path)
+	return err == nil
+}
+
+func binaryExists(name string) bool {
+	_, err := exec.LookPath(name)
+	return err == nil
+}
diff --git a/truststore_java.go b/truststore_java.go
index d618a70..9b63b10 100644
--- a/truststore_java.go
+++ b/truststore_java.go
@@ -39,19 +39,16 @@ func init() {
 		hasJava = true
 		javaHome = v
 
-		_, err := os.Stat(filepath.Join(v, keytoolPath))
-		if err == nil {
+		if pathExists(filepath.Join(v, keytoolPath)) {
 			hasKeytool = true
 			keytoolPath = filepath.Join(v, keytoolPath)
 		}
 
-		_, err = os.Stat(filepath.Join(v, "lib", "security", "cacerts"))
-		if err == nil {
+		if pathExists(filepath.Join(v, "lib", "security", "cacerts")) {
 			cacertsPath = filepath.Join(v, "lib", "security", "cacerts")
 		}
 
-		_, err = os.Stat(filepath.Join(v, "jre", "lib", "security", "cacerts"))
-		if err == nil {
+		if pathExists(filepath.Join(v, "jre", "lib", "security", "cacerts")) {
 			cacertsPath = filepath.Join(v, "jre", "lib", "security", "cacerts")
 		}
 	}
diff --git a/truststore_linux.go b/truststore_linux.go
index dbdd8cf..f0253a6 100644
--- a/truststore_linux.go
+++ b/truststore_linux.go
@@ -46,24 +46,11 @@ func init() {
 		SystemTrustFilename = "/usr/share/pki/trust/anchors/%s.pem"
 		SystemTrustCommand = []string{"update-ca-certificates"}
 	}
-	if SystemTrustCommand != nil {
-		_, err := exec.LookPath(SystemTrustCommand[0])
-		if err != nil {
-			SystemTrustCommand = nil
-		}
+	if SystemTrustCommand != nil && !binaryExists(SystemTrustCommand[0]) {
+		SystemTrustCommand = nil
 	}
 }
 
-func pathExists(path string) bool {
-	_, err := os.Stat(path)
-	return err == nil
-}
-
-func binaryExists(name string) bool {
-	_, err := exec.LookPath(name)
-	return err == nil
-}
-
 func (m *mkcert) systemTrustFilename() string {
 	return fmt.Sprintf(SystemTrustFilename, strings.Replace(m.caUniqueName(), " ", "_", -1))
 }
@@ -115,7 +102,7 @@ func (m *mkcert) uninstallPlatform() bool {
 }
 
 func CommandWithSudo(cmd ...string) *exec.Cmd {
-	if _, err := exec.LookPath("sudo"); err != nil {
+	if !binaryExists("sudo") {
 		return exec.Command(cmd[0], cmd[1:]...)
 	}
 	return exec.Command("sudo", append([]string{"--"}, cmd...)...)
diff --git a/truststore_nss.go b/truststore_nss.go
index bb52d10..1bc02a9 100644
--- a/truststore_nss.go
+++ b/truststore_nss.go
@@ -23,29 +23,25 @@ func init() {
 		"/Applications/Firefox Nightly.app",
 		"C:\\Program Files\\Mozilla Firefox",
 	} {
-		_, err := os.Stat(path)
-		hasNSS = hasNSS || err == nil
+		hasNSS = hasNSS || pathExists(path)
 	}
 
 	switch runtime.GOOS {
 	case "darwin":
-		var err error
-		certutilPath, err = exec.LookPath("certutil")
-		if err != nil {
-			var out []byte
-			out, err = exec.Command("brew", "--prefix", "nss").Output()
-			if err != nil {
-				return
+		if hasCertutil = binaryExists("certutil"); hasCertutil {
+			certutilPath, _ = exec.LookPath("certutil")
+		} else {
+			out, err := exec.Command("brew", "--prefix", "nss").Output()
+			if err == nil {
+				certutilPath = filepath.Join(strings.TrimSpace(string(out)), "bin", "certutil")
+				hasCertutil = pathExists(certutilPath)
 			}
-			certutilPath = filepath.Join(strings.TrimSpace(string(out)), "bin", "certutil")
-			_, err = os.Stat(certutilPath)
 		}
-		hasCertutil = err == nil
 
 	case "linux":
-		var err error
-		certutilPath, err = exec.LookPath("certutil")
-		hasCertutil = err == nil
+		if hasCertutil = binaryExists("certutil"); hasCertutil {
+			certutilPath, _ = exec.LookPath("certutil")
+		}
 	}
 }
 
@@ -96,7 +92,7 @@ func (m *mkcert) uninstallNSS() {
 
 func (m *mkcert) forEachNSSProfile(f func(profile string)) (found int) {
 	profiles, _ := filepath.Glob(FirefoxProfile)
-	if _, err := os.Stat(nssDB); err == nil {
+	if pathExists(nssDB) {
 		profiles = append(profiles, nssDB)
 	}
 	if len(profiles) == 0 {
@@ -106,12 +102,10 @@ func (m *mkcert) forEachNSSProfile(f func(profile string)) (found int) {
 		if stat, err := os.Stat(profile); err != nil || !stat.IsDir() {
 			continue
 		}
-		if _, err := os.Stat(filepath.Join(profile, "cert9.db")); err == nil {
+		if pathExists(filepath.Join(profile, "cert9.db")) {
 			f("sql:" + profile)
 			found++
-			continue
-		}
-		if _, err := os.Stat(filepath.Join(profile, "cert8.db")); err == nil {
+		} else if pathExists(filepath.Join(profile, "cert8.db")) {
 			f("dbm:" + profile)
 			found++
 		}