diff --git a/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLService.java b/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLService.java
index 2015b101065..fc35a47de6d 100644
--- a/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLService.java
+++ b/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLService.java
@@ -813,30 +813,36 @@ public class SSLService extends AbstractComponent {
     /**
      * This is an empty trust manager that is used in case a loaded trust manager is null
      */
-    private static final class EmptyX509TrustManager extends X509ExtendedTrustManager {
+    static final class EmptyX509TrustManager extends X509ExtendedTrustManager {
 
         @Override
         public void checkClientTrusted(X509Certificate[] x509Certificates, String s, Socket socket) throws CertificateException {
+            throw new CertificateException("no certificates are trusted");
         }
 
         @Override
         public void checkServerTrusted(X509Certificate[] x509Certificates, String s, Socket socket) throws CertificateException {
+            throw new CertificateException("no certificates are trusted");
         }
 
         @Override
         public void checkClientTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine) throws CertificateException {
+            throw new CertificateException("no certificates are trusted");
         }
 
         @Override
         public void checkServerTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine) throws CertificateException {
+            throw new CertificateException("no certificates are trusted");
         }
 
         @Override
         public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
+            throw new CertificateException("no certificates are trusted");
         }
 
         @Override
         public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
+            throw new CertificateException("no certificates are trusted");
         }
 
         @Override
diff --git a/plugin/src/test/java/org/elasticsearch/xpack/ssl/SSLServiceTests.java b/plugin/src/test/java/org/elasticsearch/xpack/ssl/SSLServiceTests.java
index 79e83a8dfd5..0429f51e17b 100644
--- a/plugin/src/test/java/org/elasticsearch/xpack/ssl/SSLServiceTests.java
+++ b/plugin/src/test/java/org/elasticsearch/xpack/ssl/SSLServiceTests.java
@@ -34,10 +34,13 @@ import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.X509ExtendedTrustManager;
+import java.net.Socket;
 import java.nio.file.Path;
 import java.security.AccessController;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
+import java.security.cert.CertificateException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
@@ -45,6 +48,7 @@ import java.util.List;
 import static org.hamcrest.Matchers.arrayContainingInAnyOrder;
 import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.emptyArray;
 import static org.hamcrest.Matchers.hasItem;
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.is;
@@ -407,6 +411,25 @@ public class SSLServiceTests extends ESTestCase {
         }
     }
 
+    public void testEmptyTrustManager() throws Exception {
+        X509ExtendedTrustManager trustManager = new SSLService.EmptyX509TrustManager();
+        assertThat(trustManager.getAcceptedIssuers(), emptyArray());
+        final String message = "no certificates are trusted";
+        CertificateException ce =
+                expectThrows(CertificateException.class, () -> trustManager.checkClientTrusted(null, null, (Socket) null));
+        assertEquals(message, ce.getMessage());
+        ce = expectThrows(CertificateException.class, () -> trustManager.checkClientTrusted(null, null, (SSLEngine) null));
+        assertEquals(message, ce.getMessage());
+        ce = expectThrows(CertificateException.class, () -> trustManager.checkClientTrusted(null, null));
+        assertEquals(message, ce.getMessage());
+        ce = expectThrows(CertificateException.class, () -> trustManager.checkServerTrusted(null, null, (Socket) null));
+        assertEquals(message, ce.getMessage());
+        ce = expectThrows(CertificateException.class, () -> trustManager.checkServerTrusted(null, null, (SSLEngine) null));
+        assertEquals(message, ce.getMessage());
+        ce = expectThrows(CertificateException.class, () -> trustManager.checkServerTrusted(null, null));
+        assertEquals(message, ce.getMessage());
+    }
+
     @Network
     public void testThatSSLContextWithoutSettingsWorks() throws Exception {
         SSLService sslService = new SSLService(Settings.EMPTY, env);