diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
index 427c6b7fea1279b71a42650ff9b8330a53fbb56b..250738487a56d4514a95a8510183937203e6f4c8 100644
--- a/test/recipes/25-test_x509.t
+++ b/test/recipes/25-test_x509.t
@@ -41,6 +41,7 @@ SKIP: {
     # producing and checking self-issued (but not self-signed) cert
     my @path = qw(test certs);
     my $subj = "/CN=CA"; # using same DN as in issuer of ee-cert.pem
+    my $extfile = srctop_file("test", "v3_ca_exts.cnf");
     my $pkey = srctop_file(@path, "ca-key.pem"); #  issuer private key
     my $pubkey = "ca-pubkey.pem"; # the corresponding issuer public key
     # use any (different) key for signing our self-issued cert:
@@ -50,10 +51,13 @@ SKIP: {
     ok(run(app(["openssl", "pkey", "-in", $pkey, "-pubout", "-out", $pubkey]))
        &&
        run(app(["openssl", "x509", "-new", "-force_pubkey", $pubkey,
-                "-subj", $subj, "-signkey", $signkey, "-out", $selfout]))
+                "-subj", $subj, "-extfile", $extfile,
+                "-signkey", $signkey, "-out", $selfout]))
        &&
        run(app(["openssl", "verify", "-no_check_time",
-                "-trusted", $selfout, $testcert])));
+                "-trusted", $selfout, "-partial_chain", $testcert])));
+    unlink $pubkey;
+    unlink $selfout;
 }
 
 subtest 'x509 -- x.509 v1 certificate' => sub {
diff --git a/test/v3_ca_exts.cnf b/test/v3_ca_exts.cnf
new file mode 100644
index 0000000000000000000000000000000000000000..a6d3245fb4e4fa33f082af2d9fadd88b313e53c0
--- /dev/null
+++ b/test/v3_ca_exts.cnf
@@ -0,0 +1,5 @@
+basicConstraints = CA:true
+keyUsage = cRLSign, keyCertSign
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+