diff --git a/builtin/logical/pki/path_root.go b/builtin/logical/pki/path_root.go
index aeb33f87aa..563664f3d5 100644
--- a/builtin/logical/pki/path_root.go
+++ b/builtin/logical/pki/path_root.go
@@ -844,7 +844,7 @@ func validateCaKeyUsages(keyUsages []string) error {
 			invalidKeyUsages = append(invalidKeyUsages, fmt.Sprintf("unrecognized key usage %s", usage))
 		}
 	}
-	if invalidKeyUsages != nil {
+	if len(invalidKeyUsages) > 0 {
 		return errors.New(strings.Join(invalidKeyUsages, "; "))
 	}
 	return nil
diff --git a/changelog/31597.txt b/changelog/31597.txt
new file mode 100644
index 0000000000..23cc670f18
--- /dev/null
+++ b/changelog/31597.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+builtin/logical/pki: don't return error for valid CA Key Usages on validation
+```