diff --git a/server/keystore_test.go b/server/keystore_test.go
index 9b4ed223b33901e6f93540c91fa1ef17db2228d5..00b494962a0a1cea2bd281bed4f0ad1671721161 100644
--- a/server/keystore_test.go
+++ b/server/keystore_test.go
@@ -144,6 +144,46 @@ func TestKeystore_OpenAndGet(t *testing.T) {
 	}
 }
 
+func TestKeystore_OpenAndGet_BackwardsCompatibility(t *testing.T) {
+	c, keystore, cleanup := newTestContext(t)
+	defer cleanup()
+
+	// Decrypt the private key with the right password. Do not set a session ID.
+	err := keystore.Open(context.Background(), "testuser", string(pw), "", 60)
+	if err != nil {
+		t.Fatal("keystore.Open():", err)
+	}
+
+	// Call expire() now to make sure we don't wipe data that is
+	// not expired yet.
+	keystore.expire(time.Now())
+
+	// Sign a valid SSO ticket and use it to obtain the private
+	// key we just stored.
+	ssoTicket := c.sign("testuser", "keystore/", "domain")
+	result, err := keystore.Get("testuser", ssoTicket)
+	if err != nil {
+		t.Fatal("keystore.Get():", err)
+	}
+
+	expectedPEM, _ := privKey.PEM()
+	if !bytes.Equal(result, expectedPEM) {
+		t.Fatalf("keystore.Get() returned bad key: got %v, expected %v", result, expectedPEM)
+	}
+
+	// Verify user namespace isolation
+	keystore.Close("otheruser", "")
+	if _, err := keystore.Get("testuser", ssoTicket); err != nil {
+		t.Fatalf("keystore.Get() returned error after Close(otheruser): %v", err)
+	}
+
+	// Call Close() and forget the key.
+	keystore.Close("testuser", "")
+	if _, err := keystore.Get("testuser", ssoTicket); err == nil {
+		t.Fatal("keystore.Get() returned no error after Close()")
+	}
+}
+
 func TestKeystore_OpenAndGet_MultipleSessions(t *testing.T) {
 	c, keystore, cleanup := newTestContext(t)
 	defer cleanup()