diff --git a/tests/data_files/server5-der0.crt b/tests/data_files/server5-der0.crt
new file mode 100644
index 000000000..08d8dd311
Binary files /dev/null and b/tests/data_files/server5-der0.crt differ
diff --git a/tests/data_files/server5-der1a.crt b/tests/data_files/server5-der1a.crt
new file mode 100644
index 000000000..015017b17
Binary files /dev/null and b/tests/data_files/server5-der1a.crt differ
diff --git a/tests/data_files/server5-der1b.crt b/tests/data_files/server5-der1b.crt
new file mode 100644
index 000000000..6340d9e2e
Binary files /dev/null and b/tests/data_files/server5-der1b.crt differ
diff --git a/tests/data_files/server5-der2.crt b/tests/data_files/server5-der2.crt
new file mode 100644
index 000000000..c6e320a36
Binary files /dev/null and b/tests/data_files/server5-der2.crt differ
diff --git a/tests/data_files/server5-der4.crt b/tests/data_files/server5-der4.crt
new file mode 100644
index 000000000..4af05cce1
Binary files /dev/null and b/tests/data_files/server5-der4.crt differ
diff --git a/tests/data_files/server5-der8.crt b/tests/data_files/server5-der8.crt
new file mode 100644
index 000000000..65be7dcae
Binary files /dev/null and b/tests/data_files/server5-der8.crt differ
diff --git a/tests/data_files/server5-der9.crt b/tests/data_files/server5-der9.crt
new file mode 100644
index 000000000..4947f1f83
Binary files /dev/null and b/tests/data_files/server5-der9.crt differ
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index d62d6f134..8f49e9661 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1559,6 +1559,64 @@ run_test    "Renego ext: gnutls client unsafe, server break legacy" \
             -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
             -S "server hello, secure renegotiation extension"
 
+# Tests for silently dropping trailing extra bytes in .der certificates
+
+requires_gnutls
+run_test    "DER format: no trailing bytes" \
+            "$P_SRV crt_file=data_files/server5-der0.crt \
+             key_file=data_files/server5.key" \
+            "$G_CLI " \
+            0 \
+            -c "Handshake was completed" \
+
+requires_gnutls
+run_test    "DER format: with a trailing zero byte" \
+            "$P_SRV crt_file=data_files/server5-der1a.crt \
+             key_file=data_files/server5.key" \
+            "$G_CLI " \
+            0 \
+            -c "Handshake was completed" \
+
+requires_gnutls
+run_test    "DER format: with a trailing random byte" \
+            "$P_SRV crt_file=data_files/server5-der1b.crt \
+             key_file=data_files/server5.key" \
+            "$G_CLI " \
+            0 \
+            -c "Handshake was completed" \
+
+requires_gnutls
+run_test    "DER format: with 2 trailing random bytes" \
+            "$P_SRV crt_file=data_files/server5-der2.crt \
+             key_file=data_files/server5.key" \
+            "$G_CLI " \
+            0 \
+            -c "Handshake was completed" \
+
+requires_gnutls
+run_test    "DER format: with 4 trailing random bytes" \
+            "$P_SRV crt_file=data_files/server5-der4.crt \
+             key_file=data_files/server5.key" \
+            "$G_CLI " \
+            0 \
+            -c "Handshake was completed" \
+
+requires_gnutls
+run_test    "DER format: with 8 trailing random bytes" \
+            "$P_SRV crt_file=data_files/server5-der8.crt \
+             key_file=data_files/server5.key" \
+            "$G_CLI " \
+            0 \
+            -c "Handshake was completed" \
+
+requires_gnutls
+run_test    "DER format: with 9 trailing random bytes" \
+            "$P_SRV crt_file=data_files/server5-der9.crt \
+             key_file=data_files/server5.key" \
+            "$G_CLI " \
+            0 \
+            -c "Handshake was completed" \
+
 # Tests for auth_mode
 
 run_test    "Authentication: server badcert, client required" \