diff --git a/src/common/libflux/security.c b/src/common/libflux/security.c
index e80569b458a6..bf0117d00e9f 100644
--- a/src/common/libflux/security.c
+++ b/src/common/libflux/security.c
@@ -523,6 +523,22 @@ static char * ctime_iso8601_now (char *buf, size_t sz)
     return (buf);
 }
 
+static bool zcert_is_zero (zcert_t *cert)
+{
+    bool rc;
+    byte z[64]; /* XXX: ZMQ cert is 32 bytes, but pad here for safety */
+    zcert_t *zero;
+
+    /*
+     * Create cert from zero keys, compare to argument:
+     */
+    memset (z, 0, sizeof (z));
+    zero = zcert_new_from (z, z);
+    rc = zcert_eq (cert, zero);
+    zcert_destroy (&zero);
+    return (rc);
+}
+
 static int gencurve (flux_sec_t c, const char *role, bool force, bool verbose)
 {
     char *path = NULL, *priv = NULL;;
@@ -553,6 +569,12 @@ static int gencurve (flux_sec_t c, const char *role, bool force, bool verbose)
     }
     if (!(cert = zcert_new ()))
         oom ();
+    if (zcert_is_zero (cert)) {
+        seterrstr (c, "Failed to create non-zero keys."
+                      " Is libzmq compiled with libsodium?");
+        errno = EINVAL;
+        goto done;
+    }
     zcert_set_meta (cert, "time", "%s", ctime_iso8601_now (buf, sizeof (buf)));
     zcert_set_meta (cert, "role", (char *)role);
     if (verbose) {