diff --git a/lfshttp/certs.go b/lfshttp/certs.go
index 1205349f..07107023 100644
--- a/lfshttp/certs.go
+++ b/lfshttp/certs.go
@@ -86,6 +86,9 @@ func getClientCertForHost(c *Client, host string) (*tls.Certificate, error) {
 	}
 
 	block, _ := pem.Decode(key)
+	if block == nil {
+		return nil, errors.New(tr.Tr.Get("Error decoding PEM block from %q", hostSslKey))
+	}
 	if x509.IsEncryptedPEMBlock(block) {
 		key, err = decryptPEMBlock(c, block, hostSslKey, key)
 		if err != nil {
diff --git a/t/t-fetch.sh b/t/t-fetch.sh
index 47400866..659ab942 100755
--- a/t/t-fetch.sh
+++ b/t/t-fetch.sh
@@ -298,6 +298,20 @@ begin_test "fetch with missing object"
 )
 end_test
 
+begin_test "fetch does not crash on empty key files"
+(
+  set -e
+  cd clone
+  rm -rf .git/lfs/objects
+
+  git config --local http.sslKey /dev/null
+  git config --local http.sslCert /dev/null
+
+  git lfs fetch origin main 2>&1 | tee fetch.log
+  grep "Error decoding PEM block" fetch.log
+)
+end_test
+
 begin_test "fetch-all"
 (
   set -e