diff --git a/pkg/vpn/openvpn.go b/pkg/vpn/openvpn.go
index 7e4f8150754f3c9faa6730262812a28cf33330d4..871f5418c40652e3ac58e7eae13f785ee00b501e 100644
--- a/pkg/vpn/openvpn.go
+++ b/pkg/vpn/openvpn.go
@@ -329,9 +329,10 @@ func (b *Bitmask) getCert() error {
 	}
 
 	b.certPemPath = b.getTempCertPemPath()
-	// If we start OpenVPN, openvpn.pem does not exist and isValidCert returns false
-	// If we start OpenVPN later again (not restarting the  client), there
-	// should be a valid openvpn.pem
+	// If we start OpenVPN for  the first time, openvpn.pem does not exist
+	// and isValidCert returns false
+	// If we start OpenVPN later again (not restarting the client), there
+	// should be a valid openvpn.pem and isValidCert should return true
 	// If there is no valid openvpn.pem, fetch a new one from menshen
 	// Note: b.tempdir is unique for every run of the desktop client
 	if !isValidCert(b.certPemPath) {
diff --git a/pkg/vpn/utils.go b/pkg/vpn/utils.go
index 6b606d821816c164f5dc56eb1b7633698df718d9..bfa593a7d6eeaf33cc0c44447a39d0318b49481c 100644
--- a/pkg/vpn/utils.go
+++ b/pkg/vpn/utils.go
@@ -40,18 +40,19 @@ func isUpgradeAvailable() bool {
 func isValidCert(path string) bool {
 	log.Trace().
 		Str("path", path).
-		Msg("Checking for a valid OpenVPN client credentials (key and certificate)")
+		Msg("Checking for valid OpenVPN client credentials (key and certificate)")
 
 	data, err := ioutil.ReadFile(path)
 	if err != nil {
 		log.Debug().
 			Str("path", path).
+			Str("err", err.Error()).
 			Msg("Could not read certificate file")
 		return false
 	}
 
 	pkBlock, rest := pem.Decode(data)
-	if rest == nil {
+	if rest == nil || pkBlock == nil {
 		log.Warn().
 			Str("data", string(data)).
 			Msg("Could not decode pem data")