diff --git a/cluster/certificates.go b/cluster/certificates.go
index df9a1d07..5c7f468d 100644
--- a/cluster/certificates.go
+++ b/cluster/certificates.go
@@ -140,14 +140,23 @@ func getClusterCerts(ctx context.Context, kubeClient *kubernetes.Clientset, etcd
 			return nil, err
 		}
 		// If I can't find an etcd cert, I will not fail and will create it later.
-		if secret == nil && strings.HasPrefix(certName, "kube-etcd") {
+		if (secret == nil || secret.Data == nil) && strings.HasPrefix(certName, "kube-etcd") {
 			certMap[certName] = pki.CertificatePKI{}
 			continue
 		}
 
-		secretCert, _ := cert.ParseCertsPEM(secret.Data["Certificate"])
-		secretKey, _ := cert.ParsePrivateKeyPEM(secret.Data["Key"])
+		secretCert, err := cert.ParseCertsPEM(secret.Data["Certificate"])
+		if err != nil {
+			return nil, fmt.Errorf("Failed to parse certificate of %s: %v", certName, err)
+		}
+		secretKey, err := cert.ParsePrivateKeyPEM(secret.Data["Key"])
+		if err != nil {
+			return nil, fmt.Errorf("Failed to parse private key of %s: %v", certName, err)
+		}
 		secretConfig := string(secret.Data["Config"])
+		if len(secretCert) == 0 || secretKey == nil {
+			return nil, fmt.Errorf("certificate or key of %s is not found", certName)
+		}
 		certMap[certName] = pki.CertificatePKI{
 			Certificate:   secretCert[0],
 			Key:           secretKey.(*rsa.PrivateKey),