diff --git a/include/haproxy/jwt-t.h b/include/haproxy/jwt-t.h
index fca752ef0..054d2df68 100644
--- a/include/haproxy/jwt-t.h
+++ b/include/haproxy/jwt-t.h
@@ -80,7 +80,8 @@ enum jwt_vrfy_status {
 	JWT_VRFY_INVALID_TOKEN = -3,
 	JWT_VRFY_OUT_OF_MEMORY = -4,
 	JWT_VRFY_UNKNOWN_CERT  = -5,
-	JWT_VRFY_INTERNAL_ERR  = -6
+	JWT_VRFY_INTERNAL_ERR  = -6,
+	JWT_VRFY_UNAVAIL_CERT  = -7,
 };
 
 #endif /* USE_OPENSSL */
diff --git a/src/jwt.c b/src/jwt.c
index 8790c868f..f8c33c5b3 100644
--- a/src/jwt.c
+++ b/src/jwt.c
@@ -405,10 +405,13 @@ jwt_jwsverify_rsa_ecdsa(const struct jwt_ctx *ctx, struct buffer *decoded_signat
 		if (!HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock)) {
 
 			store = ckchs_lookup(ctx->key);
-			if (store && store->conf.jwt) {
-				pubkey = X509_get_pubkey(store->data->cert);
-				if (pubkey)
-					EVP_PKEY_up_ref(pubkey);
+			if (store) {
+				if (store->conf.jwt) {
+					pubkey = X509_get_pubkey(store->data->cert);
+					if (pubkey)
+						EVP_PKEY_up_ref(pubkey);
+				} else
+					retval = JWT_VRFY_UNAVAIL_CERT;
 			}
 			HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
 		}
@@ -426,7 +429,8 @@ jwt_jwsverify_rsa_ecdsa(const struct jwt_ctx *ctx, struct buffer *decoded_signat
 	}
 
 	if (!pubkey) {
-		retval = JWT_VRFY_UNKNOWN_CERT;
+		if (!retval)
+			retval = JWT_VRFY_UNKNOWN_CERT;
 		goto end;
 	}