diff --git a/core/pkg/net/ssl/ssl.go b/core/pkg/net/ssl/ssl.go
index 62d2f6b7e8..ea492940f4 100644
--- a/core/pkg/net/ssl/ssl.go
+++ b/core/pkg/net/ssl/ssl.go
@@ -71,6 +71,11 @@ func AddOrUpdateCertAndKey(name string, cert, key, ca []byte) (*ingress.SSLCert,
 		return nil, fmt.Errorf("No valid PEM formatted block found")
 	}
 
+	// If the file does not start with 'BEGIN CERTIFICATE' it's invalid and must not be used.
+	if pemBlock.Type != "CERTIFICATE" {
+		return nil, fmt.Errorf("Certificate %v contains invalid data, and must be created with 'kubectl create secret tls'", name)
+	}
+
 	pemCert, err := x509.ParseCertificate(pemBlock.Bytes)
 	if err != nil {
 		return nil, err
@@ -138,6 +143,10 @@ func AddCertAuth(name string, ca []byte) (*ingress.SSLCert, error) {
 	if pemCABlock == nil {
 		return nil, fmt.Errorf("No valid PEM formatted block found")
 	}
+	// If the first certificate does not start with 'BEGIN CERTIFICATE' it's invalid and must not be used.
+	if pemCABlock.Type != "CERTIFICATE" {
+		return nil, fmt.Errorf("CA File %v contains invalid data, and must be created only with PEM formated certificates", name)
+	}
 
 	_, err := x509.ParseCertificate(pemCABlock.Bytes)
 	if err != nil {