diff --git a/internal/scti/chain_validation.go b/internal/scti/chain_validation.go
index 9c315da3..3c30dbd4 100644
--- a/internal/scti/chain_validation.go
+++ b/internal/scti/chain_validation.go
@@ -146,6 +146,10 @@ func isPrecertificate(cert *x509.Certificate) (bool, error) {
 // the submitted chain in the order of submission.
 // TODO(phboneff): make this a method func([][]byte) ([]*x509.Certificate, error)
 func validateChain(rawChain [][]byte, validationOpts ChainValidationOpts) ([]*x509.Certificate, error) {
+	if len(rawChain) == 0 {
+		return nil, errors.New("empty certificate chain")
+	}
+
 	// First make sure the certs parse as X.509
 	chain := make([]*x509.Certificate, 0, len(rawChain))
 	intermediatePool := x509util.NewPEMCertPool()
diff --git a/internal/scti/chain_validation_test.go b/internal/scti/chain_validation_test.go
index eee64aad..0e4c6f00 100644
--- a/internal/scti/chain_validation_test.go
+++ b/internal/scti/chain_validation_test.go
@@ -249,6 +249,16 @@ func TestValidateChain(t *testing.T) {
 				v.extKeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
 			},
 		},
+		{
+			desc:    "empty-chain",
+			chain:   [][]byte{},
+			wantErr: true,
+		},
+		{
+			desc:    "nil-chain",
+			chain:   nil,
+			wantErr: true,
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.desc, func(t *testing.T) {