diff --git a/openssl/src/pkcs12.rs b/openssl/src/pkcs12.rs
index 9f014af6..31aae536 100644
--- a/openssl/src/pkcs12.rs
+++ b/openssl/src/pkcs12.rs
@@ -42,7 +42,12 @@ impl Pkcs12Ref {
 
             let pkey = PKey::from_ptr(pkey);
             let cert = X509::from_ptr(cert);
-            let chain = Stack::from_ptr(chain);
+
+            let chain = if chain.is_null() {
+                try!(Stack::new())
+            } else {
+                Stack::from_ptr(chain)
+            };
 
             Ok(ParsedPkcs12 {
                 pkey: pkey,
@@ -80,6 +85,7 @@ impl Pkcs12 {
 pub struct ParsedPkcs12 {
     pub pkey: PKey,
     pub cert: X509,
+    // FIXME Make this Option<Stack> in the next breaking release
     pub chain: Stack<X509>,
 }
 
@@ -196,6 +202,16 @@ mod test {
                    "c0cbdf7cdd03c9773e5468e1f6d2da7d5cbb1875");
     }
 
+    #[test]
+    fn parse_empty_chain() {
+        let der = include_bytes!("../test/keystore-empty-chain.p12");
+        let pkcs12 = Pkcs12::from_der(der).unwrap();
+        let parsed = pkcs12.parse("cassandra").unwrap();
+
+        assert_eq!(parsed.chain.len(), 0);
+        assert_eq!(parsed.chain.into_iter().collect::<Vec<_>>().len(), 0);
+    }
+
     #[test]
     fn create() {
         let subject_name = "ns.example.com";
diff --git a/openssl/src/stack.rs b/openssl/src/stack.rs
index 268afde7..6ac8264c 100644
--- a/openssl/src/stack.rs
+++ b/openssl/src/stack.rs
@@ -86,6 +86,8 @@ impl<T: Stackable> ForeignType for Stack<T> {
 
     #[inline]
     unsafe fn from_ptr(ptr: *mut T::StackType) -> Stack<T> {
+        assert!(!ptr.is_null(), "Must not instantiate a Stack from a null-ptr - use Stack::new() in \
+                                 that case");
         Stack(ptr)
     }
 
diff --git a/openssl/test/keystore-empty-chain.p12 b/openssl/test/keystore-empty-chain.p12
new file mode 100644
index 00000000..c39930a5
Binary files /dev/null and b/openssl/test/keystore-empty-chain.p12 differ