diff --git a/pkg/server/ca/manager/journal.go b/pkg/server/ca/manager/journal.go
index 5fe39e7e0d..d8f1f0c82d 100644
--- a/pkg/server/ca/manager/journal.go
+++ b/pkg/server/ca/manager/journal.go
@@ -231,6 +231,10 @@ func (j *Journal) saveInDatastore(ctx context.Context, entriesBytes []byte) (caJ
 	// Check if we already identified what's the CA journal for this server in
 	// the datastore. If not, log that we are creating a new CA journal entry.
 	if j.caJournalID == 0 {
+		if j.activeX509AuthorityID == "" {
+			j.config.log.Debug("There is no active X.509 authority yet. Can't save CA journal in the datastore")
+			return 0, nil
+		}
 		j.config.log.Info("Creating a new CA journal entry")
 	}
 
diff --git a/pkg/server/ca/rotator/rotator.go b/pkg/server/ca/rotator/rotator.go
index 45424513fd..17f4ef190d 100644
--- a/pkg/server/ca/rotator/rotator.go
+++ b/pkg/server/ca/rotator/rotator.go
@@ -124,6 +124,12 @@ func (r *Rotator) rotate(ctx context.Context) error {
 	if x509CAErr != nil {
 		atomic.AddUint64(&r.failedRotationNum, 1)
 		r.c.Log.WithError(x509CAErr).Error("Unable to rotate X509 CA")
+		if r.c.Manager.GetCurrentX509CASlot().IsEmpty() {
+			// Preparation of the X509 CA failed, and there is no active X509
+			// authority. We will be unable to store the JWT authority, so we
+			// don't try to rotate the JWT key in this case.
+			return x509CAErr
+		}
 	}
 
 	jwtKeyErr := r.rotateJWTKey(ctx)