diff --git a/clientutil/backend.go b/clientutil/backend.go
index 6580d0eb42ae0070a803db7df6ce15d7da595e3b..9e08fa01ab2c1906dfa36a5c74555ab0e4d7e2ad 100644
--- a/clientutil/backend.go
+++ b/clientutil/backend.go
@@ -13,7 +13,7 @@ import (
 // 'shard' parameter on their APIs.
 type BackendConfig struct {
 	URL       string           `yaml:"url"`
-	TLSConfig *TLSClientConfig `yaml:"tls_config"`
+	TLSConfig *TLSClientConfig `yaml:"tls"`
 	Sharded   bool             `yaml:"sharded"`
 	Debug     bool             `yaml:"debug"`
 }
diff --git a/clientutil/tls.go b/clientutil/tls.go
index 6eb0749eb78cd75cedb4168626ff67536387e9de..7974525e47eb1d3540d21e3f89ff23c17af83528 100644
--- a/clientutil/tls.go
+++ b/clientutil/tls.go
@@ -2,6 +2,7 @@ package clientutil
 
 import (
 	"crypto/tls"
+	"errors"
 
 	common "git.autistici.org/ai3/go-common"
 )
@@ -16,6 +17,10 @@ type TLSClientConfig struct {
 
 // TLSConfig returns a tls.Config object with the current configuration.
 func (c *TLSClientConfig) TLSConfig() (*tls.Config, error) {
+	if c.Cert == "" || c.Key == "" || c.CA == "" {
+		return nil, errors.New("incomplete client tls specification")
+	}
+
 	cert, err := tls.LoadX509KeyPair(c.Cert, c.Key)
 	if err != nil {
 		return nil, err
@@ -24,13 +29,11 @@ func (c *TLSClientConfig) TLSConfig() (*tls.Config, error) {
 		Certificates: []tls.Certificate{cert},
 	}
 
-	if c.CA != "" {
-		cas, err := common.LoadCA(c.CA)
-		if err != nil {
-			return nil, err
-		}
-		tlsConf.RootCAs = cas
+	cas, err := common.LoadCA(c.CA)
+	if err != nil {
+		return nil, err
 	}
+	tlsConf.RootCAs = cas
 	tlsConf.BuildNameToCertificate()
 
 	return tlsConf, nil
diff --git a/misc.go b/misc.go
index 582af3f7e148988ff382d50e9a2e0e1e9e0894d2..cd7f15e44a17ee4122b438f421942611927cdc58 100644
--- a/misc.go
+++ b/misc.go
@@ -2,6 +2,7 @@ package common
 
 import (
 	"crypto/x509"
+	"fmt"
 	"io/ioutil"
 )
 
@@ -12,6 +13,8 @@ func LoadCA(path string) (*x509.CertPool, error) {
 		return nil, err
 	}
 	cas := x509.NewCertPool()
-	cas.AppendCertsFromPEM(data)
+	if !cas.AppendCertsFromPEM(data) {
+		return nil, fmt.Errorf("no certificates could be parsed in %s", path)
+	}
 	return cas, nil
 }