diff --git a/src/reactive/vault_handlers.py b/src/reactive/vault_handlers.py
index 5887fc7..2f06c3b 100644
--- a/src/reactive/vault_handlers.py
+++ b/src/reactive/vault_handlers.py
@@ -745,7 +745,9 @@ def publish_ca_info():
     if is_unit_paused_set():
         log("The Vault unit is paused, passing on publishing ca info.")
         return
-    # TODO(sahid): Add check when service is not running
+    if not service_running('vault'):
+        set_flag('failed.to.start')
+        return
     client = vault.get_client(url=vault.VAULT_LOCALHOST_URL)
     tls = endpoint_from_flag('certificates.available')
     if client.is_sealed():
@@ -848,7 +850,9 @@ def tune_pki_backend_config_changed():
     if is_unit_paused_set():
         log("The Vault unit is paused, passing on tunning pki backend.")
         return
-    # TODO(sahid): Add check when service is not running
+    if not service_running('vault'):
+        set_flag('failed.to.start')
+        return
     client = vault.get_client(url=vault.VAULT_LOCALHOST_URL)
     if client.is_sealed():
         log("Unable to tune pki backend, service sealed.")
diff --git a/unit_tests/test_reactive_vault_handlers.py b/unit_tests/test_reactive_vault_handlers.py
index 0acc4e9..b832e5d 100644
--- a/unit_tests/test_reactive_vault_handlers.py
+++ b/unit_tests/test_reactive_vault_handlers.py
@@ -733,6 +733,7 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
     @mock.patch.object(handlers, 'vault_pki')
     def test_publish_ca_info(self, vault_pki, _vault):
         self.is_unit_paused_set.return_value = False
+        self.service_running.return_value = True
         self._set_sealed(_vault, False)
 
         tls = self.endpoint_from_flag.return_value
@@ -746,6 +747,7 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
     @mock.patch.object(handlers, 'vault_pki')
     def test_publish_ca_info_sealed(self, vault_pki, _vault):
         self.is_unit_paused_set.return_value = False
+        self.service_running.return_value = True
         self._set_sealed(_vault, True)
 
         tls = self.endpoint_from_flag.return_value
@@ -759,6 +761,15 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
         handlers.publish_ca_info()
         assert not _vault.get_client.called
 
+    @mock.patch.object(handlers, 'vault')
+    def test_publish_ca_info_service_notrunning(self, _vault):
+        self.is_unit_paused_set.return_value = False
+        self.service_running.return_value = False
+
+        handlers.publish_ca_info()
+        self.set_flag.assert_called_with('failed.to.start')
+        assert not _vault.get_client.called
+
     @mock.patch.object(handlers, 'vault_pki')
     def test_publish_global_client_cert_already_gend(self, vault_pki):
         tls = self.endpoint_from_flag.return_value
@@ -912,6 +923,16 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
         assert not vault_pki.tune_pki_backend.called
         assert not vault_pki.update_roles.called
 
+    @mock.patch.object(handlers, 'vault_pki')
+    def test_tune_pki_backend_config_changed_notrunning(self, vault_pki):
+        self.is_unit_paused_set.return_value = False
+        self.service_running.return_value = False
+
+        handlers.tune_pki_backend_config_changed()
+        self.set_flag.assert_called_with('failed.to.start')
+        assert not vault_pki.tune_pki_backend.called
+        assert not vault_pki.update_roles.called
+
     @mock.patch.object(handlers, 'config')
     @mock.patch.object(handlers, 'clear_flag')
     @mock.patch.object(handlers, 'set_flag')