diff --git a/src/common/tortls.c b/src/common/tortls.c
index a1facec409..5e0c97096d 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -884,7 +884,7 @@ tor_tls_cert_is_valid(int severity,
   EVP_PKEY *cert_key;
   int r, key_ok = 0;
 
-  if (!signing_cert)
+  if (!signing_cert || !cert)
     goto bad;
 
   EVP_PKEY *signing_key = X509_get_pubkey(signing_cert->cert);
diff --git a/src/test/test_tortls.c b/src/test/test_tortls.c
index 709c8dbd77..add020e9f4 100644
--- a/src/test/test_tortls.c
+++ b/src/test/test_tortls.c
@@ -2680,7 +2680,12 @@ test_tortls_cert_is_valid(void *ignored)
   scert = tor_malloc_zero(sizeof(tor_x509_cert_t));
   ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, 0);
   tt_int_op(ret, OP_EQ, 0);
+
+  cert = tor_malloc_zero(sizeof(tor_x509_cert_t));
+  ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, 0);
+  tt_int_op(ret, OP_EQ, 0);
   tor_free(scert);
+  tor_free(cert);
 
   cert = tor_x509_cert_new(read_cert_from(validCertString));
   scert = tor_x509_cert_new(read_cert_from(caCertString));