diff --git a/src/connectionmanager.cpp b/src/connectionmanager.cpp
index 127b55baa8e16b53870989d4047941a498504770..94e009dc2cc600e0da6cd1f05923b3d845e3c3a3 100644
--- a/src/connectionmanager.cpp
+++ b/src/connectionmanager.cpp
@@ -1452,7 +1452,7 @@ ConnectionManager::Impl::foundPeerDevice(const std::shared_ptr<dht::crypto::Cert
     // Device certificate can't be self-signed
     if (top_issuer == crt) {
         if (logger)
-            logger->warn("Found invalid peer device: {}", crt->getLongId());
+            logger->warn("Found invalid (self-signed) peer device: {}", crt->getLongId());
         return false;
     }
 
@@ -1469,7 +1469,7 @@ ConnectionManager::Impl::foundPeerDevice(const std::shared_ptr<dht::crypto::Cert
     // Check cached OCSP response
     if (crt->ocspResponse and crt->ocspResponse->getCertificateStatus() != GNUTLS_OCSP_CERT_GOOD) {
         if (logger)
-            logger->error("Certificate %s is disabled by cached OCSP response", crt->getLongId());
+            logger->error("Certificate {} is disabled by cached OCSP response", crt->getLongId());
         return false;
     }
 
diff --git a/src/security/certstore.cpp b/src/security/certstore.cpp
index 2ef05e4deb3c3098b5ef0f1ed011f1a378b657f3..9b6bb9698be903086d1f4a3a7f1b1d7027c5e927 100644
--- a/src/security/certstore.cpp
+++ b/src/security/certstore.cpp
@@ -165,11 +165,16 @@ CertificateStore::getCertificate(const std::string& k)
 std::shared_ptr<crypto::Certificate>
 CertificateStore::getCertificateLegacy(const std::string& dataDir, const std::string& k)
 {
-    auto oldPath = fmt::format("{}/certificates/{}", dataDir, k);
-    if (fileutils::isFile(oldPath)) {
-        auto crt = std::make_shared<crypto::Certificate>(oldPath);
-        pinCertificate(crt, true);
-        return crt;
+    try {
+        auto oldPath = fmt::format("{}/certificates/{}", dataDir, k);
+        if (fileutils::isFile(oldPath)) {
+            auto crt = std::make_shared<crypto::Certificate>(oldPath);
+            pinCertificate(crt, true);
+            return crt;
+        }
+    } catch (const std::exception& e) {
+        if (logger_)
+            logger_->warn("Can't load certificate: {:s}", e.what());
     }
     return {};
 }
@@ -273,12 +278,17 @@ CertificateStore::pinCertificatePath(const std::string& path,
             std::lock_guard<std::mutex> l(lock_);
 
             for (auto& cert : certs) {
-                auto shared = std::make_shared<crypto::Certificate>(std::move(cert));
-                scerts.emplace_back(shared);
-                auto e = certs_.emplace(shared->getId().toString(), shared);
-                ids.emplace_back(e.first->first);
-                e = certs_.emplace(shared->getLongId().toString(), shared);
-                ids.emplace_back(e.first->first);
+                try {
+                    auto shared = std::make_shared<crypto::Certificate>(std::move(cert));
+                    scerts.emplace_back(shared);
+                    auto e = certs_.emplace(shared->getId().toString(), shared);
+                    ids.emplace_back(e.first->first);
+                    e = certs_.emplace(shared->getLongId().toString(), shared);
+                    ids.emplace_back(e.first->first);
+                } catch (const std::exception& e) {
+                    if (logger_)
+                        logger_->warn("Can't load certificate: {:s}", e.what());
+                }
             }
             paths_.emplace(path, std::move(scerts));
         }