src/crypto/x509/verify.go      |  2 +-
 src/crypto/x509/verify_test.go | 19 +++++++++++++++++++

diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index 9d3c3246d3098dc474ed1f0b49db3ee316fe9b6c..6efbff28bf7b6e997988c46a8197b6f7b1430c5d 100644
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -899,7 +899,7 @@ 		hintCert *Certificate
 	)
 
 	considerCandidate := func(certType int, candidate potentialParent) {
-		if alreadyInChain(candidate.cert, currentChain) {
+		if candidate.cert.PublicKey == nil || alreadyInChain(candidate.cert, currentChain) {
 			return
 		}
 
diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go
index 861d2b389064ba5586001b46d4185957d524cc88..8a7a5f6e2c6d457191afdb733af496d323268d64 100644
--- a/src/crypto/x509/verify_test.go
+++ b/src/crypto/x509/verify_test.go
@@ -2792,3 +2792,22 @@ 		})
 	}
 
 }
+
+func TestVerifyNilPubKey(t *testing.T) {
+	c := &Certificate{
+		RawIssuer:      []byte{1, 2, 3},
+		AuthorityKeyId: []byte{1, 2, 3},
+	}
+	opts := &VerifyOptions{}
+	opts.Roots = NewCertPool()
+	r := &Certificate{
+		RawSubject:   []byte{1, 2, 3},
+		SubjectKeyId: []byte{1, 2, 3},
+	}
+	opts.Roots.AddCert(r)
+
+	_, err := c.buildChains([]*Certificate{r}, nil, opts)
+	if _, ok := err.(UnknownAuthorityError); !ok {
+		t.Fatalf("buildChains returned unexpected error, got: %v, want %v", err, UnknownAuthorityError{})
+	}
+}