diff --git a/nixos/modules/services/misc/taskserver/helper-tool.py b/nixos/modules/services/misc/taskserver/helper-tool.py
index abc7362cf7c..e2c340fbd2a 100644
--- a/nixos/modules/services/misc/taskserver/helper-tool.py
+++ b/nixos/modules/services/misc/taskserver/helper-tool.py
@@ -24,6 +24,10 @@ TASKD_USER = "@user@"
 TASKD_GROUP = "@group@"
 FQDN = "@fqdn@"
 
+CA_KEY = os.path.join(TASKD_DATA_DIR, "keys", "ca.key")
+CA_CERT = os.path.join(TASKD_DATA_DIR, "keys", "ca.cert")
+CRL_FILE = os.path.join(TASKD_DATA_DIR, "keys", "server.crl")
+
 RE_CONFIGUSER = re.compile(r'^\s*user\s*=(.*)$')
 RE_USERKEY = re.compile(r'New user key: (.+)$', re.MULTILINE)
 
@@ -151,8 +155,6 @@ def generate_key(org, user):
 
     privkey = os.path.join(basedir, "private.key")
     pubcert = os.path.join(basedir, "public.cert")
-    cakey = os.path.join(TASKD_DATA_DIR, "keys", "ca.key")
-    cacert = os.path.join(TASKD_DATA_DIR, "keys", "ca.cert")
 
     try:
         os.makedirs(basedir, mode=0700)
@@ -172,8 +174,8 @@ def generate_key(org, user):
             certtool_cmd(
                 "-c",
                 "--load-privkey", privkey,
-                "--load-ca-privkey", cakey,
-                "--load-ca-certificate", cacert,
+                "--load-ca-privkey", CA_KEY,
+                "--load-ca-certificate", CA_CERT,
                 "--template", template,
                 "--outfile", pubcert
             )
@@ -183,10 +185,6 @@ def generate_key(org, user):
 
 
 def revoke_key(org, user):
-    cakey = os.path.join(TASKD_DATA_DIR, "keys", "ca.key")
-    cacert = os.path.join(TASKD_DATA_DIR, "keys", "ca.cert")
-    crl = os.path.join(TASKD_DATA_DIR, "keys", "server.crl")
-
     basedir = os.path.join(TASKD_DATA_DIR, "keys", org, user)
     if not os.path.exists(basedir):
         raise OSError("Keyfile directory for {} doesn't exist.".format(user))
@@ -197,16 +195,16 @@ def revoke_key(org, user):
 
     with create_template([expiration]) as template:
         oldcrl = NamedTemporaryFile(mode="wb", prefix="old-crl")
-        oldcrl.write(open(crl, "rb").read())
+        oldcrl.write(open(CRL_FILE, "rb").read())
         oldcrl.flush()
         certtool_cmd(
             "--generate-crl",
             "--load-crl", oldcrl.name,
-            "--load-ca-privkey", cakey,
-            "--load-ca-certificate", cacert,
+            "--load-ca-privkey", CA_KEY,
+            "--load-ca-certificate", CA_CERT,
             "--load-certificate", pubcert,
             "--template", template,
-            "--outfile", crl
+            "--outfile", CRL_FILE
         )
         oldcrl.close()
     rmtree(basedir)
@@ -432,11 +430,15 @@ ORGANISATION = OrganisationType()
 
 
 @click.group()
-def cli():
+@click.pass_context
+def cli(ctx):
     """
     Manage Taskserver users and certificates
     """
-    pass
+    for path in (CA_KEY, CA_CERT, CRL_FILE):
+        if not os.path.exists(path):
+            msg = "CA setup not done or incomplete, missing file {}."
+            ctx.fail(msg.format(path))
 
 
 @cli.command("list-users")