diff --git a/pam/auth_client_test.cc b/pam/auth_client_test.cc
index 1ca19dad3cc8ba84702e7721cc06f808a5e9dfab..76935175aab65bb8d558a27ade5b660ca9844071 100644
--- a/pam/auth_client_test.cc
+++ b/pam/auth_client_test.cc
@@ -60,6 +60,30 @@ TEST(AuthClient, AuthOK) {
   auth_client_free(ac);
 }
 
+TEST(AuthClient, SSLFailsWithBadCertificate) {
+  auth_client_t ac;
+  int result;
+
+  ac = auth_client_new("service", server);
+  ASSERT_TRUE(ac != NULL);
+
+  auth_client_set_verbose(ac, 1);
+
+  // We can't tell auth_client to make an https request without a
+  // client certificate, but we can try to force a failure by
+  // providing a bad (unloadable) certificate, for example one where
+  // the private and public keys do not match. In this case,
+  // auth_client_set_certificate() should still succeed, since it
+  // doesn't perform this kind of correctness check.
+  result = auth_client_set_certificate(ac, ssl_ca, ssl_ca, ssl_key);
+  EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
+
+  result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
+  EXPECT_NE(AC_OK, result) << "authenticate() didn't fail, server=" << server;
+
+  auth_client_free(ac);
+}
+
 int main(int argc, char **argv) {
   server = getenv("AUTH_SERVER");
   if (server == NULL) {