diff --git a/0003-libnma-empty-certificate-fix-rh1469852.patch b/0003-libnma-empty-certificate-fix-rh1469852.patch
new file mode 100644
index 0000000..a75943d
--- /dev/null
+++ b/0003-libnma-empty-certificate-fix-rh1469852.patch
@@ -0,0 +1,53 @@
+From ecaf0b448fb4bb9c224679df8c64caef6714cef5 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Tue, 18 Jul 2017 10:53:02 +0200
+Subject: [PATCH 1/1] libnma: don't return empty passwords from certificate
+ chooser
+
+Return NULL if the user did not specify any password. Setting an empty
+password in the connection when it's not needed (e.g. for CA and
+client certificate) makes the connection invalid.
+
+Fixes: cfb753f6c907aa443307e48fb21eae0b2755bf22
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1469852
+(cherry picked from commit f78c1fe9e528a7cf2edd430a559e2fe5fd5525a7)
+---
+ src/libnma/nma-pkcs11-cert-chooser.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/libnma/nma-pkcs11-cert-chooser.c b/src/libnma/nma-pkcs11-cert-chooser.c
+index 852be2e1..1c033e93 100644
+--- a/src/libnma/nma-pkcs11-cert-chooser.c
++++ b/src/libnma/nma-pkcs11-cert-chooser.c
+@@ -48,9 +48,12 @@ static const gchar *
+ get_key_password (NMACertChooser *cert_chooser)
+ {
+ 	NMAPkcs11CertChooserPrivate *priv = NMA_PKCS11_CERT_CHOOSER_GET_PRIVATE (cert_chooser);
++	const gchar *text;
+ 
+ 	g_return_val_if_fail (priv->key_password != NULL, NULL);
+-	return gtk_entry_get_text (GTK_ENTRY (priv->key_password));
++	text = gtk_entry_get_text (GTK_ENTRY (priv->key_password));
++
++	return text && text[0] ? text : NULL;
+ }
+ 
+ static void
+@@ -87,9 +90,12 @@ static const gchar *
+ get_cert_password (NMACertChooser *cert_chooser)
+ {
+ 	NMAPkcs11CertChooserPrivate *priv = NMA_PKCS11_CERT_CHOOSER_GET_PRIVATE (cert_chooser);
++	const gchar *text;
+ 
+ 	g_return_val_if_fail (priv->cert_password != NULL, NULL);
+-	return gtk_entry_get_text (GTK_ENTRY (priv->cert_password));
++	text = gtk_entry_get_text (GTK_ENTRY (priv->cert_password));
++
++	return text && text[0] ? text : NULL;
+ }
+ 
+ static void
+-- 
+2.13.5
+
diff --git a/network-manager-applet.spec b/network-manager-applet.spec
index de999b1..d171b55 100644
--- a/network-manager-applet.spec
+++ b/network-manager-applet.spec
@@ -5,12 +5,12 @@
 
 %global rpm_version 1.8.2
 %global real_version 1.8.2
-%global release_version 2
+%global release_version 3
 
 Name: network-manager-applet
 Summary: A network control and status applet for NetworkManager
 Version: %{rpm_version}
-Release: %{release_version}%{?dist}.2
+Release: %{release_version}%{?dist}
 Group: Applications/System
 License: GPLv2+
 URL: http://www.gnome.org/projects/NetworkManager/
@@ -20,6 +20,7 @@ Source: https://download.gnome.org/sources/network-manager-applet/1.8/%{name}-%{
 Patch0: nm-applet-no-notifications.patch
 Patch1: 0001-wireless-security-acually-save-the-PKCS-11-PINs-for-.patch
 Patch2: 0002-wireless-security-fix-some-crash-issues-on-connectio.patch
+Patch3: 0003-libnma-empty-certificate-fix-rh1469852.patch
 
 Requires: NetworkManager >= %{nm_version}
 Requires: NetworkManager-glib >= %{nm_version}
@@ -122,6 +123,7 @@ This package deprecates libnm-gtk.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 %build
 autoreconf -i -f
@@ -237,6 +239,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &>/dev/null || :
 
 
 %changelog
+* Wed Aug 23 2017 Thomas Haller <thaller@redhat.com> - 1.8.2-3
+- libnma: fix certificate picker for empty certificates (rh#1469852)
+
 * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.2-2.2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild