diff --git a/contrib/pg_tde/src/keyring/keyring_api.c b/contrib/pg_tde/src/keyring/keyring_api.c
index 3d073ccd59721..618ff2da7a20e 100644
--- a/contrib/pg_tde/src/keyring/keyring_api.c
+++ b/contrib/pg_tde/src/keyring/keyring_api.c
@@ -10,6 +10,7 @@
 
 #include <assert.h>
 #include <openssl/rand.h>
+#include <openssl/err.h>
 
 typedef struct RegisteredKeyProviderType
 {
@@ -127,15 +128,15 @@ KeyringGenerateNewKey(const char *key_name, unsigned key_len)
 {
 	KeyInfo    *key;
 
-	Assert(key_len <= 32);
+	Assert(key_len <= sizeof(key->data));
 	/* Struct will be saved to disk so keep clean */
 	key = palloc0_object(KeyInfo);
 	key->data.len = key_len;
 	if (!RAND_bytes(key->data.data, key_len))
-	{
-		pfree(key);
-		return NULL;			/* openssl error */
-	}
+		ereport(ERROR,
+				errcode(ERRCODE_INTERNAL_ERROR),
+				errmsg("could not generate new principal key: %s",
+					   ERR_error_string(ERR_get_error(), NULL)));
 	strlcpy(key->name, key_name, sizeof(key->name));
 	return key;
 }