diff --git a/lib/client/interfaces.go b/lib/client/interfaces.go
index 9545fe19a1f76..95ea6319d845a 100644
--- a/lib/client/interfaces.go
+++ b/lib/client/interfaces.go
@@ -309,6 +309,10 @@ func (k *KeyRing) clientCertPool(clusters ...string) (*x509.CertPool, error) {
 		return nil, trace.Wrap(err)
 	}
 	pool := x509.NewCertPool()
+	if len(certPoolPEM) == 0 {
+		// It's valid to have no matching CAs and therefore an empty cert pool.
+		return pool, nil
+	}
 	if !pool.AppendCertsFromPEM(certPoolPEM) {
 		return nil, trace.BadParameter("failed to parse TLS CA certificate")
 	}