diff --git a/CHANGES b/CHANGES
index 8ae835854..913be643d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,13 @@
 
 Changes with FreeUnit 1.35.4                                     xx xxx 2026
 
+    *) Bugfix: validate that the loaded TLS private key matches the
+       certificate; previously a mismatched key/cert pair was accepted
+       at config time and only surfaced as a handshake failure.  Also
+       guard the wildcard-name SAN matcher against an empty name (1-byte
+       OOB read of item->name.start[0] when the cert had a zero-length
+       SAN entry).
+
     *) Bugfix: fix router process CPU spin and connection hang under port
        scanning load; CLOSE-WAIT sockets are now cleaned up properly on
        client FIN, idle connection queue iteration fixed, systemd file
diff --git a/src/nxt_openssl.c b/src/nxt_openssl.c
index 265542aae..78de39935 100644
--- a/src/nxt_openssl.c
+++ b/src/nxt_openssl.c
@@ -519,7 +519,9 @@ nxt_openssl_chain_file(nxt_task_t *task, SSL_CTX *ctx, nxt_tls_conf_t *conf,
         goto end;
     }
 
-    if (SSL_CTX_use_PrivateKey(ctx, key) == 1) {
+    if (SSL_CTX_use_PrivateKey(ctx, key) == 1
+        && SSL_CTX_check_private_key(ctx) == 1)
+    {
         ret = NXT_OK;
     }
 
@@ -983,7 +985,7 @@ nxt_openssl_bundle_hash_insert(nxt_task_t *task, nxt_lvlhsh_t *lvlhsh,
 
     str = item->name;
 
-    if (item->name.start[0] == '*') {
+    if (item->name.length > 0 && item->name.start[0] == '*') {
         item->name.start++;
         item->name.length--;