diff --git a/lib/keysigner/ca.js b/lib/keysigner/ca.js
index 31c95068c502f2f21c6105909f351f90698422f8..85a1215e30bf8cc211d8424e95c38cf85b63d453 100644
--- a/lib/keysigner/ca.js
+++ b/lib/keysigner/ca.js
@@ -42,11 +42,18 @@ var jwcert = require('jwcrypto/jwcert'),
     path = require("path"),
     fs = require("fs"),
     config = require('../configuration.js'),
-    secrets = require('../secrets.js');
+    secrets = require('../secrets.js'),
+    logger = require('../logging.js').logger;
 
 var HOSTNAME = config.get('hostname');
 
-const secret_key =  secrets.loadSecretKey('root', config.get('var_path'));
+const secret_key = secrets.loadSecretKey('root', config.get('var_path'));
+
+if (!secret_key) {
+  logger.error("no secret key read from " + config.get('var_path') +
+               " can't continue");
+  setTimeout(function() { process.exit(1); }, 0);
+}
 
 function parsePublicKey(serializedPK) {
   return jwk.PublicKey.deserialize(serializedPK);