diff --git a/util/secret/certificates.go b/util/secret/certificates.go
index 7e9d211dcf51..b1d553c52b82 100644
--- a/util/secret/certificates.go
+++ b/util/secret/certificates.go
@@ -371,6 +371,10 @@ func (c *Certificate) AsSecret(clusterName client.ObjectKey, owner metav1.OwnerR
 // AsFiles converts the certificate to a slice of Files that may have 0, 1 or 2 Files.
 func (c *Certificate) AsFiles() []bootstrapv1.File {
 	out := make([]bootstrapv1.File, 0)
+	if c.KeyPair == nil {
+		return out
+	}
+
 	if len(c.KeyPair.Cert) > 0 {
 		out = append(out, bootstrapv1.File{
 			Path:        c.CertFile,
diff --git a/util/secret/certificates_test.go b/util/secret/certificates_test.go
index e6c48c252ba2..ac9072003924 100644
--- a/util/secret/certificates_test.go
+++ b/util/secret/certificates_test.go
@@ -45,3 +45,11 @@ func TestNewControlPlaneJoinCertsExternal(t *testing.T) {
 	certs := secret.NewControlPlaneJoinCerts(config)
 	g.Expect(certs.GetByPurpose(secret.EtcdCA).KeyFile).To(BeEmpty())
 }
+
+func TestNewControlPlaneJoinCertsAsFilesNotPanicsWhenEmpty(t *testing.T) {
+	g := NewWithT(t)
+
+	config := &bootstrapv1.ClusterConfiguration{}
+	certs := secret.NewControlPlaneJoinCerts(config)
+	g.Expect(certs.AsFiles()).To(BeEmpty())
+}