diff --git a/nova/crypto.py b/nova/crypto.py
index 11f04dea40d8..a5126ae8f29e 100644
--- a/nova/crypto.py
+++ b/nova/crypto.py
@@ -96,7 +96,10 @@ def crl_path(project_id=None):
 def fetch_ca(project_id=None):
     if not FLAGS.use_project_ca:
         project_id = None
-    with open(ca_path(project_id), 'r') as cafile:
+    ca_file_path = ca_path(project_id)
+    if not os.path.exists(ca_file_path):
+        raise exception.CryptoCAFileNotFound(project_id=project_id)
+    with open(ca_file_path, 'r') as cafile:
         return cafile.read()
 
 
@@ -140,8 +143,13 @@ def generate_key_pair(bits=1024):
         utils.execute('ssh-keygen', '-q', '-b', bits, '-N', '',
                       '-t', 'rsa', '-f', keyfile)
         fingerprint = _generate_fingerprint('%s.pub' % (keyfile))
+        if not os.path.exists(keyfile):
+            raise exception.FileNotFound(keyfile)
         private_key = open(keyfile).read()
-        public_key = open(keyfile + '.pub').read()
+        public_key_path = keyfile + '.pub'
+        if not os.path.exists(public_key_path):
+            raise exception.FileNotFound(public_key_path)
+        public_key = open(public_key_path).read()
 
     return (private_key, public_key, fingerprint)
 
@@ -150,7 +158,10 @@ def fetch_crl(project_id):
     """Get crl file for project."""
     if not FLAGS.use_project_ca:
         project_id = None
-    with open(crl_path(project_id), 'r') as crlfile:
+    crl_file_path = crl_path(project_id)
+    if not os.path.exists(crl_file_path):
+        raise exception.CryptoCRLFileNotFound(project_id)
+    with open(crl_file_path, 'r') as crlfile:
         return crlfile.read()
 
 
diff --git a/nova/exception.py b/nova/exception.py
index 1f51a08b59b1..e2db0dad8dab 100644
--- a/nova/exception.py
+++ b/nova/exception.py
@@ -1100,6 +1100,14 @@ class UnexpectedTaskStateError(NovaException):
                 "the actual state is %(actual)s")
 
 
+class CryptoCAFileNotFound(FileNotFound):
+    message = _("The CA file for %(project)s could not be found")
+
+
+class CryptoCRLFileNotFound(FileNotFound):
+    message = _("The CRL file for %(project)s could not be found")
+
+
 def get_context_from_function_and_args(function, args, kwargs):
     """Find an arg of type RequestContext and return it.
 
diff --git a/nova/tests/test_crypto.py b/nova/tests/test_crypto.py
index c9ee6ca0220a..c725079d2ab9 100644
--- a/nova/tests/test_crypto.py
+++ b/nova/tests/test_crypto.py
@@ -22,6 +22,7 @@ import mox
 
 from nova import crypto
 from nova import db
+from nova import exception
 from nova import flags
 from nova import test
 from nova import utils
@@ -133,3 +134,21 @@ class RevokeCertsTest(test.TestCase):
         self.mox.ReplayAll()
 
         crypto.revoke_certs_by_project(project_id)
+
+
+class CertExceptionTests(test.TestCase):
+    def test_fetch_ca_file_not_found(self):
+        with utils.tempdir() as tmpdir:
+            self.flags(ca_path=tmpdir)
+            self.flags(use_project_ca=True)
+
+            self.assertRaises(exception.CryptoCAFileNotFound, crypto.fetch_ca,
+                              project_id='fake')
+
+    def test_fetch_crl_file_not_found(self):
+        with utils.tempdir() as tmpdir:
+            self.flags(ca_path=tmpdir)
+            self.flags(use_project_ca=True)
+
+            self.assertRaises(exception.CryptoCRLFileNotFound,
+                              crypto.fetch_crl, project_id='fake')