diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2e578712b8..f0e0ac9a7f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -114,6 +114,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 - [#7425](https://github.com/apache/trafficcontrol/pull/7425) *Traffic Control Cache Config (t3c)* Fixed issue with layered profile iteration being done in the wrong order.
 - [#6385](https://github.com/apache/trafficcontrol/issues/6385) *Traffic Ops* Reserved consistentHashQueryParameters cause internal server error
 - [#7471](https://github.com/apache/trafficcontrol/pull/7471) *Traffic Control Cache Config (t3c)* Fixed issue with MSO non topo origins from multiple cache groups.
+- [#4393](https://github.com/apache/trafficcontrol/issues/4393) *Traffic Ops* Fixed the error code and alert structure when TO is queried for a delivery service with no ssl keys.
 
 ### Removed
 - [#7271](https://github.com/apache/trafficcontrol/pull/7271) Remove components in `infrastructre/docker/`, not in use as cdn-in-a-box performs the same functionality.
diff --git a/traffic_ops/testing/api/v5/deliveryservices_keys_test.go b/traffic_ops/testing/api/v5/deliveryservices_keys_test.go
index 54b0775d5b..47b1d9cc50 100644
--- a/traffic_ops/testing/api/v5/deliveryservices_keys_test.go
+++ b/traffic_ops/testing/api/v5/deliveryservices_keys_test.go
@@ -380,7 +380,6 @@ func VerifySSLKeysOnDsCreationTest(t *testing.T) {
 				break
 			}
 		}
-
 		if err != nil || dsSSLKey == nil {
 			t.Fatalf("unable to get DS %s SSL key: %v", ds.XMLID, err)
 		}
diff --git a/traffic_ops/traffic_ops_golang/deliveryservice/keys.go b/traffic_ops/traffic_ops_golang/deliveryservice/keys.go
index ef02ebb683..65dce07d05 100644
--- a/traffic_ops/traffic_ops_golang/deliveryservice/keys.go
+++ b/traffic_ops/traffic_ops_golang/deliveryservice/keys.go
@@ -187,12 +187,26 @@ func GetSSLKeysByXMLID(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	var userError error
+	sc := http.StatusInternalServerError
+	logAlert := true
 	keyObjV4, err := getSslKeys(inf, r.Context())
 	if err != nil {
-		userErr := api.LogErr(r, http.StatusInternalServerError, nil, err)
-		alerts.AddNewAlert(tc.ErrorLevel, userErr.Error())
-		api.WriteAlerts(w, r, http.StatusInternalServerError, alerts)
-		return
+		userError = api.LogErr(r, sc, nil, err)
+		if err == sql.ErrNoRows {
+			if inf.Version.GreaterThanOrEqualTo(&api.Version{Major: 5, Minor: 0}) {
+				sc = http.StatusNotFound
+				userError = api.LogErr(r, sc, errors.New("no ssl keys for XML ID "+xmlID), nil)
+			} else {
+				// For versions lesser than 5.0, don't log an alert if the error is ErrNoRows. This is for backward compatibility reasons.
+				logAlert = false
+			}
+		}
+		if logAlert {
+			alerts.AddNewAlert(tc.ErrorLevel, userError.Error())
+			api.WriteAlerts(w, r, sc, alerts)
+			return
+		}
 	}
 
 	var keyObj interface{}
@@ -216,6 +230,9 @@ func getSslKeys(inf *api.APIInfo, ctx context.Context) (tc.DeliveryServiceSSLKey
 
 	keyObjFromTv, ok, err := inf.Vault.GetDeliveryServiceSSLKeys(xmlID, version, inf.Tx.Tx, ctx)
 	if err != nil {
+		if err == sql.ErrNoRows {
+			return tc.DeliveryServiceSSLKeysV4{}, err
+		}
 		return tc.DeliveryServiceSSLKeysV4{}, errors.New("getting ssl keys: " + err.Error())
 	}
 	keyObj := tc.DeliveryServiceSSLKeysV4{}
diff --git a/traffic_ops/traffic_ops_golang/deliveryservice/sslkeys.go b/traffic_ops/traffic_ops_golang/deliveryservice/sslkeys.go
index f3a133c066..38402e9cf0 100644
--- a/traffic_ops/traffic_ops_golang/deliveryservice/sslkeys.go
+++ b/traffic_ops/traffic_ops_golang/deliveryservice/sslkeys.go
@@ -122,7 +122,9 @@ func GeneratePlaceholderSelfSignedCert(ds tc.DeliveryServiceV5, inf *api.APIInfo
 	tv := inf.Vault
 	_, ok, err := tv.GetDeliveryServiceSSLKeys(ds.XMLID, "", tx, context)
 	if err != nil {
-		return fmt.Errorf("getting latest ssl keys for XMLID '%s': %w", ds.XMLID, err), http.StatusInternalServerError
+		if err != sql.ErrNoRows {
+			return fmt.Errorf("getting latest ssl keys for XMLID '%s': %w", ds.XMLID, err), http.StatusInternalServerError
+		}
 	}
 	if ok {
 		return nil, http.StatusOK
diff --git a/traffic_ops/traffic_ops_golang/trafficvault/backends/postgres/postgres.go b/traffic_ops/traffic_ops_golang/trafficvault/backends/postgres/postgres.go
index b1bdc1b394..1499882d30 100644
--- a/traffic_ops/traffic_ops_golang/trafficvault/backends/postgres/postgres.go
+++ b/traffic_ops/traffic_ops_golang/trafficvault/backends/postgres/postgres.go
@@ -138,7 +138,7 @@ func (p *Postgres) GetDeliveryServiceSSLKeys(xmlID string, version string, tx *s
 	err = tvTx.QueryRow(query, xmlID, version).Scan(&encryptedSslKeys)
 	if err != nil {
 		if err == sql.ErrNoRows {
-			return tc.DeliveryServiceSSLKeysV15{}, false, nil
+			return tc.DeliveryServiceSSLKeysV15{}, false, err
 		}
 		e := checkErrWithContext("Traffic Vault PostgreSQL: executing SELECT SSL Keys query", err, ctx.Err())
 		return tc.DeliveryServiceSSLKeysV15{}, false, e