diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/InstanceCertManager.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/InstanceCertManager.java
index b8982ec8a91..be0baaaaf65 100644
--- a/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/InstanceCertManager.java
+++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/cert/InstanceCertManager.java
@@ -466,6 +466,11 @@ private void loadCertSigner() {
 
         String certSignerFactoryClass = System.getProperty(ZTSConsts.ZTS_PROP_CERT_SIGNER_FACTORY_CLASS,
                 ZTSConsts.ZTS_CERT_SIGNER_FACTORY_CLASS);
+        if (StringUtil.isEmpty(certSignerFactoryClass)) {
+            LOGGER.error("No CertSignerFactory class configured");
+            certSigner = null;
+            return;
+        }
         try {
             CertSignerFactory certSignerFactory = (CertSignerFactory) Class.forName(certSignerFactoryClass)
                     .getDeclaredConstructor().newInstance();
@@ -754,6 +759,11 @@ public boolean insertX509CertRecord(X509CertRecord certRecord) {
     public String generateX509Certificate(final String provider, final String certIssuer, final String csr,
             final String keyUsage, int expiryTime, Priority priority, final String keySignerId) {
 
+        if (certSigner == null) {
+            LOGGER.error("CertSigner is not available");
+            return null;
+        }
+
         String pemCert = null;
         try {
             pemCert = certSigner.generateX509Certificate(provider, certIssuer, csr, keyUsage,
@@ -768,6 +778,12 @@ public String generateX509Certificate(final String provider, final String certIs
     }
 
     public String getCACertificate(final String provider, final String signerKeyId) {
+
+        if (certSigner == null) {
+            LOGGER.error("CertSigner is not available");
+            return null;
+        }
+
         try {
             return certSigner.getCACertificate(provider, signerKeyId);
         } catch (ServerResourceException ex) {
diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/InstanceCertManagerTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/InstanceCertManagerTest.java
index 76be4c0d88f..bcb680c341d 100644
--- a/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/InstanceCertManagerTest.java
+++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/cert/InstanceCertManagerTest.java
@@ -2505,4 +2505,17 @@ public void testParseTimeUnit() {
         assertEquals(InstanceCertManager.parseTimeUnit("invalidstring"), TimeUnit.DAYS);
     }
 
+    @Test
+    public void testEmptyCertSignerFactoryClassName() {
+
+        System.setProperty(ZTSConsts.ZTS_PROP_CERT_SIGNER_FACTORY_CLASS, "");
+
+        InstanceCertManager instanceManager = new InstanceCertManager(null, null, null, new DynamicConfigBoolean(false));
+        assertNull(instanceManager.generateX509Certificate("provider", "issuer", "csr", "client", 0, Priority.High, "keyId"));
+        assertNull(instanceManager.getCACertificate("provider", "keyId"));
+
+        instanceManager.shutdown();
+
+        System.clearProperty(ZTSConsts.ZTS_PROP_CERT_SIGNER_FACTORY_CLASS);
+    }
 }