diff --git a/ca/ca.go b/ca/ca.go
index d641fa65b..dc1908277 100644
--- a/ca/ca.go
+++ b/ca/ca.go
@@ -131,6 +131,10 @@ func NewCertificateAuthorityImpl(
 		return nil, err
 	}
 
+	if len(boulderIssuers) == 0 {
+		return nil, errors.New("must have at least one issuer")
+	}
+
 	issuers := makeIssuerMaps(boulderIssuers)
 
 	orphanCount := prometheus.NewCounterVec(
diff --git a/ca/ca_test.go b/ca/ca_test.go
index 3464a21a0..2a99c07d4 100644
--- a/ca/ca_test.go
+++ b/ca/ca_test.go
@@ -421,6 +421,31 @@ func issueCertificateSubTestValidityUsesCAClock(t *testing.T, i *TestCertificate
 	test.AssertEquals(t, i.cert.NotAfter.Add(time.Second).Sub(i.cert.NotBefore), i.ca.validityPeriod)
 }
 
+// Test failure mode when no issuers are present.
+func TestNoIssuers(t *testing.T) {
+	testCtx := setup(t)
+	sa := &mockSA{}
+	_, err := NewCertificateAuthorityImpl(
+		sa,
+		testCtx.pa,
+		testCtx.ocsp,
+		nil, // No issuers
+		nil,
+		testCtx.certExpiry,
+		testCtx.certBackdate,
+		testCtx.serialPrefix,
+		testCtx.maxNames,
+		testCtx.keyPolicy,
+		nil,
+		testCtx.logger,
+		testCtx.stats,
+		testCtx.signatureCount,
+		testCtx.signErrorCount,
+		testCtx.fc)
+	test.AssertError(t, err, "No issuers found during CA construction.")
+	test.AssertEquals(t, err.Error(), "must have at least one issuer")
+}
+
 // Test issuing when multiple issuers are present.
 func TestMultipleIssuers(t *testing.T) {
 	testCtx := setup(t)