diff --git a/anchor/certificate_ops.py b/anchor/certificate_ops.py
index 44b531c..0e6df5c 100644
--- a/anchor/certificate_ops.py
+++ b/anchor/certificate_ops.py
@@ -105,8 +105,11 @@ def get_ca(ra_name):
     if not ca_path:
         pecan.abort(404, "CA certificate not available")
 
-    with open(ca_path) as f:
-        return f.read()
+    try:
+        with open(ca_path) as f:
+            return f.read()
+    except IOError:
+        pecan.abort(500, "CA certificate not available")
 
 
 def dispatch_sign(ra_name, csr):
diff --git a/tests/test_certificate_ops.py b/tests/test_certificate_ops.py
index 7d9baec..faf96a7 100644
--- a/tests/test_certificate_ops.py
+++ b/tests/test_certificate_ops.py
@@ -135,3 +135,14 @@ class CertificateOpsTests(tests.DefaultConfigMixin, tests.DefaultRequestMixin,
             with self.assertRaises(http_status.HTTPException) as cm:
                 certificate_ops.dispatch_sign('default_ra', csr_obj)
         self.assertEqual(cm.exception.code, 500)
+
+    def test_ca_cert_not_configured(self):
+        """Test CA cert read failure."""
+        config = "anchor.jsonloader.conf._config"
+        self.sample_conf_ca['default_ca']['cert_path'] = None
+        data = self.sample_conf
+
+        with mock.patch.dict(config, data):
+            with self.assertRaises(http_status.HTTPException) as cm:
+                certificate_ops.get_ca('default_ra')
+        self.assertEqual(cm.exception.code, 404)