diff --git a/pkg/pillar/scripts/device-steps.sh b/pkg/pillar/scripts/device-steps.sh
index e167ea9566..95b750fc5f 100755
--- a/pkg/pillar/scripts/device-steps.sh
+++ b/pkg/pillar/scripts/device-steps.sh
@@ -111,16 +111,16 @@ echo
 # /persist/certs/v2tlsbaseroot-certificates.sha256. This is to prepare for a future
 # feature where the controller can update the base file.
 # Note that programatically we add any proxy certificates to the list of roots we trust.
-if [ ! -f /config/v2tlsbaseroot-certificates.pem ]; then
+if [ ! -s /config/v2tlsbaseroot-certificates.pem ]; then
     echo "$(date -Ins -u) Creating default /config/v2tlsbaseroot-certificates.pem"
     cp -p /etc/ssl/certs/ca-certificates.crt /config/v2tlsbaseroot-certificates.pem
 fi
 sha=$(openssl sha256 /config/v2tlsbaseroot-certificates.pem | awk '{print $2}')
-if [ ! -f "$PERSIST_CERTS/$sha" ]; then
+if [ ! -s "$PERSIST_CERTS/$sha" ]; then
     echo "$(date -Ins -u) Adding /config/v2tlsbaseroot-certificates.pem to $PERSIST_CERTS"
     cp /config/v2tlsbaseroot-certificates.pem "$PERSIST_CERTS/$sha"
 fi
-if [ ! -f "$PERSIST_CERTS/v2tlsbaseroot-certificates.sha256" ]; then
+if [ ! -s "$PERSIST_CERTS/v2tlsbaseroot-certificates.sha256" ]; then
     echo "$(date -Ins -u) Setting /config/v2tlsbaseroot-certificates.pem as current"
     echo "$sha" >"$PERSIST_CERTS/v2tlsbaseroot-certificates.sha256"
 fi
@@ -209,7 +209,7 @@ if ! pgrep ledmanager >/dev/null; then
     $BINDIR/ledmanager &
     wait_for_touch ledmanager
 fi
-if [ ! -f $CONFIGDIR/device.cert.pem ]; then
+if [ ! -s $CONFIGDIR/device.cert.pem ]; then
     touch $FIRSTBOOTFILE # For nodeagent
 fi
 
@@ -358,7 +358,7 @@ done
 # Add ndpd to watchdog
 touch "$WATCHDOG_PID/ntpd.pid"
 
-if [ ! -f $CONFIGDIR/device.cert.pem ]; then
+if [ ! -s $CONFIGDIR/device.cert.pem ]; then
     echo "$(date -Ins -u) Generating a device key pair and self-signed cert (using TPM/TEE if available)"
     touch $CONFIGDIR/self-register-pending
     sync
@@ -388,7 +388,7 @@ else
     echo "$(date -Ins -u) Using existing device key pair and self-signed cert"
     SELF_REGISTER=0
 fi
-if [ ! -f $CONFIGDIR/server ] || [ ! -f $CONFIGDIR/root-certificate.pem ]; then
+if [ ! -s $CONFIGDIR/server ] || [ ! -s $CONFIGDIR/root-certificate.pem ]; then
     echo "$(date -Ins -u) No server or root-certificate to connect to. Done"
     exit 0
 fi
diff --git a/pkg/pillar/zedcloud/tls.go b/pkg/pillar/zedcloud/tls.go
index 896721e72a..838d228575 100644
--- a/pkg/pillar/zedcloud/tls.go
+++ b/pkg/pillar/zedcloud/tls.go
@@ -107,6 +107,11 @@ func GetTlsConfig(dns *types.DeviceNetworkStatus, serverName string, clientCert
 			return nil, err
 		}
 		sha := strings.TrimSpace(string(line))
+		if len(sha) == 0 {
+			errStr := fmt.Sprintf("Read zero byte from sha file")
+			log.Errorf(errStr)
+			return nil, errors.New(errStr)
+		}
 		v2RootFilename := types.CertificateDirname + "/" + sha
 		caCert, err := ioutil.ReadFile(v2RootFilename)
 		if err != nil {
@@ -239,6 +244,11 @@ func UpdateTLSProxyCerts(ctx *ZedCloudContext) bool {
 			return false
 		}
 		sha := strings.TrimSpace(string(line))
+		if len(sha) == 0 {
+			errStr := fmt.Sprintf("Read zero byte from sha file")
+			log.Errorf(errStr)
+			return false
+		}
 		v2RootFilename := types.CertificateDirname + "/" + sha
 		caCert, err := ioutil.ReadFile(v2RootFilename)
 		if err != nil {