diff --git a/src/repository/crl.rs b/src/repository/crl.rs
index f238004..43bd070 100644
--- a/src/repository/crl.rs
+++ b/src/repository/crl.rs
@@ -563,7 +563,9 @@ impl RevokedCertificates {
 
     /// Returns a value encoder for a reference to the value.
     pub fn encode_ref(&self) -> impl encode::Values + '_ {
-        encode::sequence(&self.0)
+        (!self.0.is_empty()).then(|| {
+            encode::sequence(&self.0)
+        })
     }
 
     /// Create a value from an iterator over CRL entries.
@@ -818,6 +820,7 @@ mod signer_test {
 
     #[test]
     fn build_ta_cert() {
+        // CRL with two CrlEntries.
         let signer = OpenSslSigner::new();
         let key = signer.create_key(PublicKeyFormat::Rsa).unwrap();
         let pubkey = signer.get_key_info(&key).unwrap();
@@ -826,12 +829,33 @@ mod signer_test {
             pubkey.to_subject_name(),
             Time::now(),
             Time::tomorrow(),
-            vec![CrlEntry::new(12u64.into(), Time::now())],
+            vec![
+                CrlEntry::new(12u64.into(), Time::now()),
+                CrlEntry::new(42u64.into(), Time::now())
+            ],
+            pubkey.key_identifier(),
+            12u64.into()
+        );
+        let crl = crl.into_crl(&signer, &key).unwrap().to_captured();
+        let crl = Crl::decode(crl.as_slice()).unwrap();
+        assert_eq!(
+            crl.revoked_certs().iter().collect::<Vec<_>>().len(),
+            2
+        );
+
+        // CRL with no CrlEntries.
+        let crl = TbsCertList::new(
+            Default::default(),
+            pubkey.to_subject_name(),
+            Time::now(),
+            Time::tomorrow(),
+            vec![],
             pubkey.key_identifier(),
             12u64.into()
         );
         let crl = crl.into_crl(&signer, &key).unwrap().to_captured();
-        let _crl = Crl::decode(crl.as_slice()).unwrap();
+        let crl = Crl::decode(crl.as_slice()).unwrap();
+        assert!(crl.revoked_certs().iter().next().is_none());
     }
 }