diff --git a/security/manager/ssl/gen_cert_header.py b/security/manager/ssl/gen_cert_header.py
index 683a9a6a34de..d0ed40e7a2bf 100644
--- a/security/manager/ssl/gen_cert_header.py
+++ b/security/manager/ssl/gen_cert_header.py
@@ -7,6 +7,9 @@ def _file_byte_generator(filename):
     with open(filename, "rb") as f:
         contents = f.read()
 
+        if b"-----BEGIN CERTIFICATE-----" in contents:
+            raise Exception(f"{filename} contains a PEM certificate. Expected DER.")
+
         # Treat empty files the same as a file containing a lone 0;
         # a single-element array will fail cert verifcation just as an
         # empty array would.