diff --git a/webrtc/base/rtccertificate.cc b/webrtc/base/rtccertificate.cc
index 574bf75bf2..3b3b8c9e89 100644
--- a/webrtc/base/rtccertificate.cc
+++ b/webrtc/base/rtccertificate.cc
@@ -54,6 +54,8 @@ scoped_refptr<RTCCertificate> RTCCertificate::FromPEM(
     const RTCCertificatePEM& pem) {
   std::unique_ptr<SSLIdentity> identity(SSLIdentity::FromPEMStrings(
       pem.private_key(), pem.certificate()));
+  if (!identity)
+    return nullptr;
   return new RefCountedObject<RTCCertificate>(identity.release());
 }
 
diff --git a/webrtc/base/rtccertificate.h b/webrtc/base/rtccertificate.h
index 46d6fd427c..24170208eb 100644
--- a/webrtc/base/rtccertificate.h
+++ b/webrtc/base/rtccertificate.h
@@ -66,6 +66,7 @@ class RTCCertificate : public RefCountInterface {
 
   // To/from PEM, a text representation of the RTCCertificate.
   RTCCertificatePEM ToPEM() const;
+  // Can return nullptr if the certificate is invalid.
   static scoped_refptr<RTCCertificate> FromPEM(const RTCCertificatePEM& pem);
   bool operator==(const RTCCertificate& certificate) const;
   bool operator!=(const RTCCertificate& certificate) const;
diff --git a/webrtc/base/rtccertificate_unittest.cc b/webrtc/base/rtccertificate_unittest.cc
index f5df7f1130..b318717790 100644
--- a/webrtc/base/rtccertificate_unittest.cc
+++ b/webrtc/base/rtccertificate_unittest.cc
@@ -137,4 +137,10 @@ TEST_F(RTCCertificateTest, CloneWithPEMSerialization) {
   EXPECT_EQ(orig->Expires(), clone->Expires());
 }
 
+TEST_F(RTCCertificateTest, FromPEMWithInvalidPEM) {
+  RTCCertificatePEM pem("not a valid PEM", "not a valid PEM");
+  scoped_refptr<RTCCertificate> certificate = RTCCertificate::FromPEM(pem);
+  EXPECT_FALSE(certificate);
+}
+
 }  // namespace rtc