diff --git a/x509util/certcheck/certcheck.go b/x509util/certcheck/certcheck.go
index 8a5fae28fa6..20220e7a222 100644
--- a/x509util/certcheck/certcheck.go
+++ b/x509util/certcheck/certcheck.go
@@ -46,7 +46,7 @@ var (
 	checkRevoked             = flag.Bool("check_revocation", false, "Check revocation status of certificate")
 )
 
-func addCerts(filename string, pool *x509.CertPool) {
+func addCerts(filename string, pool *x509.CertPool, validateSelfSigned bool) {
 	if filename != "" {
 		dataList, err := x509util.ReadPossiblePEMFile(filename, "CERTIFICATE")
 		if err != nil {
@@ -58,6 +58,12 @@ func addCerts(filename string, pool *x509.CertPool) {
 				glog.Exitf("Failed to parse certificate from %s: %v", filename, err)
 			}
 			for _, cert := range certs {
+				if validateSelfSigned {
+					err := cert.CheckSignature(cert.SignatureAlgorithm, cert.RawTBSCertificate, cert.Signature)
+					if err != nil {
+						glog.Exitf("Failed to verify self-signature on root cert from %s: %v", filename, err)
+					}
+				}
 				pool.AddCert(cert)
 			}
 		}
@@ -223,8 +229,8 @@ func validateChain(chain []*x509.Certificate, opts x509.VerifyOptions, rootsFile
 	opts.KeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageAny}
 	opts.Roots = roots
 	opts.Intermediates = x509.NewCertPool()
-	addCerts(rootsFile, opts.Roots)
-	addCerts(intermediatesFile, opts.Intermediates)
+	addCerts(rootsFile, opts.Roots /* validate_self_signed= */, true)
+	addCerts(intermediatesFile, opts.Intermediates /* validate_self_signed= */, false)
 
 	if !useSystemRoots && len(rootsFile) == 0 {
 		// No root CA certs provided, so assume the chain is self-contained.