diff --git a/src/XrdSecgsi/XrdSecProtocolgsi.cc b/src/XrdSecgsi/XrdSecProtocolgsi.cc
index 2836385b0a9..3dd8a39864a 100644
--- a/src/XrdSecgsi/XrdSecProtocolgsi.cc
+++ b/src/XrdSecgsi/XrdSecProtocolgsi.cc
@@ -4108,6 +4108,15 @@ bool XrdSecProtocolgsi::VerifyCA(int opt, X509Chain *cca, XrdCryptoFactory *CF)
 
    // Point to the certificate
    XrdCryptoX509 *xc = cca->Begin();
+   if (!xc) {
+      PRINT("Cannot attach to first certificate in chain");
+      return 0;
+   }
+   // Make sure it is valid
+   if (!(xc->IsValid())) {
+      PRINT("CA certificate is expired ("<<xc->SubjectHash()<<", not_before: "<<xc->NotBefore()<<" secs UTC )");
+      return 0;
+   }
    // Is it self-signed ?
    bool self = (!strcmp(xc->IssuerHash(), xc->SubjectHash())) ? 1 : 0;
    if (!self) {