diff --git a/builtin/credential/cert/path_login.go b/builtin/credential/cert/path_login.go
index 2b673271e3..10ada39cf4 100644
--- a/builtin/credential/cert/path_login.go
+++ b/builtin/credential/cert/path_login.go
@@ -46,7 +46,7 @@ func (b *backend) pathLogin(
 
 	// If no trusted chain was found, client is not authenticated
 	if len(trustedChains) == 0 {
-		return logical.ErrorResponse("invalid certificate"), nil
+		return logical.ErrorResponse("invalid certificate or no client certificate supplied"), nil
 	}
 
 	// Match the trusted chain with the policy
diff --git a/command/meta.go b/command/meta.go
index 6b7e1c6028..218ad177e5 100644
--- a/command/meta.go
+++ b/command/meta.go
@@ -113,12 +113,14 @@ func (m *Meta) Client() (*api.Client, error) {
 			RootCAs:            certPool,
 		}
 
-		if m.flagClientCert != "" {
+		if m.flagClientCert != "" && m.flagClientKey != "" {
 			tlsCert, err := tls.LoadX509KeyPair(m.flagClientCert, m.flagClientKey)
 			if err != nil {
 				return nil, err
 			}
 			tlsConfig.Certificates = []tls.Certificate{tlsCert}
+		} else if m.flagClientCert != "" || m.flagClientKey != "" {
+			return nil, fmt.Errorf("Both client cert and client key must be provided")
 		}
 
 		client := *http.DefaultClient