diff --git a/builtin/logical/ssh/path_roles.go b/builtin/logical/ssh/path_roles.go
index 907689f282..dfc2ffdb16 100644
--- a/builtin/logical/ssh/path_roles.go
+++ b/builtin/logical/ssh/path_roles.go
@@ -420,7 +420,6 @@ func (b *backend) pathRoleWrite(req *logical.Request, d *framework.FieldData) (*
 }
 
 func (b *backend) createCARole(allowedUsers, defaultUser string, data *framework.FieldData) (*sshRole, *logical.Response) {
-
 	role := &sshRole{
 		MaxTTL: data.Get("max_ttl").(string),
 		TTL:    data.Get("ttl").(string),
@@ -437,6 +436,10 @@ func (b *backend) createCARole(allowedUsers, defaultUser string, data *framework
 		KeyType:                KeyTypeCA,
 	}
 
+	if !role.AllowUserCertificates && !role.AllowHostCertificates {
+		return nil, logical.ErrorResponse("Either 'allow_user_certificates' or 'allow_host_certificates' must be set to 'true'")
+	}
+
 	defaultCriticalOptions := convertMapToStringValue(data.Get("default_critical_options").(map[string]interface{}))
 	defaultExtensions := convertMapToStringValue(data.Get("default_extensions").(map[string]interface{}))