diff --git a/kdc/pkinit.c b/kdc/pkinit.c
index 7c1c07a5d..5ca9481ae 100644
--- a/kdc/pkinit.c
+++ b/kdc/pkinit.c
@@ -1226,7 +1226,7 @@ _kdc_pk_check_client(krb5_context context,
     }
 
     ret = hdb_entry_get_pkinit_acl(&client->entry, &acl);
-    if (ret == 0) {
+    if (ret == 0 && acl != NULL) {
 	/*
 	 * Cheat here and compare the generated name with the string
 	 * and not the reverse.