diff --git a/scripts/policy/protocols/ssl/expiring-certs.bro b/scripts/policy/protocols/ssl/expiring-certs.bro
index 9c02c63784..4c11c5cef9 100644
--- a/scripts/policy/protocols/ssl/expiring-certs.bro
+++ b/scripts/policy/protocols/ssl/expiring-certs.bro
@@ -38,7 +38,8 @@ event ssl_established(c: connection) &priority=3
 	{
 	# If there are no certificates or we are not interested in the server, just return.
 	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
-		 ! addr_matches_host(c$id$resp_h, notify_certs_expiration) )
+	    ! addr_matches_host(c$id$resp_h, notify_certs_expiration) ||
+	    ! c$ssl$cert_chain[0]?$x509 )
 		return;
 
 	local fuid = c$ssl$cert_chain_fuids[0];
diff --git a/scripts/policy/protocols/ssl/notary.bro b/scripts/policy/protocols/ssl/notary.bro
index 3646a4d43e..b89f71ba89 100644
--- a/scripts/policy/protocols/ssl/notary.bro
+++ b/scripts/policy/protocols/ssl/notary.bro
@@ -39,7 +39,7 @@ function clear_waitlist(digest: string)
 
 event ssl_established(c: connection) &priority=3
 	{
-	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 )
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$sha1 )
 		return;
 
 	local digest = c$ssl$cert_chain[0]$sha1;
diff --git a/scripts/policy/protocols/ssl/weak-keys.bro b/scripts/policy/protocols/ssl/weak-keys.bro
index 47bb7a8316..f11fb9da5e 100644
--- a/scripts/policy/protocols/ssl/weak-keys.bro
+++ b/scripts/policy/protocols/ssl/weak-keys.bro
@@ -37,7 +37,8 @@ event ssl_established(c: connection) &priority=3
 	{
 	# If there are no certificates or we are not interested in the server, just return.
 	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
-	     ! addr_matches_host(c$id$resp_h, notify_weak_keys) )
+	     ! addr_matches_host(c$id$resp_h, notify_weak_keys) ||
+	     ! c$ssl$cert_chain[0]?$x509 )
 		return;
 
 	local fuid = c$ssl$cert_chain_fuids[0];