diff --git a/CHANGES b/CHANGES
index 6d63e906a1..a6079bff91 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_ssl: avoid processing bogus SSLCertificateKeyFile values
+     (and logging garbled file names). PR 56306. [Kaspar Brand]
+
   *) mod_proxy_fcgi: Fix sending of response without some HTTP headers
      that might be set by filters.  [Jim Riggs <jim riggs.me>]
 
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index ab5fa5e51a..cbc4a7433d 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -914,9 +914,11 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
         }
 
         /* and second, the private key */
-        keyfile = APR_ARRAY_IDX(mctx->pks->key_files, i, const char *);
-        if (keyfile == NULL)
+        if (i < mctx->pks->key_files->nelts) {
+            keyfile = APR_ARRAY_IDX(mctx->pks->key_files, i, const char *);
+        } else {
             keyfile = certfile;
+        }
 
         ERR_clear_error();