diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
index 88f265ce1..212cb0129 100644
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@@ -1012,6 +1012,14 @@ server1.v1.der: server1.v1.crt
 	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
 all_final += server1.v1.crt server1.v1.der
 
+server1.ca.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
+	$(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 is_ca=1 version=3 output_file=$@
+server1.ca_noauthid.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
+	$(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA1 authority_identifier=0 is_ca=1 version=3 output_file=$@
+server1.ca.der: server1.ca.crt
+	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
+all_final += server1.ca.crt server1.ca_noauthid.crt server1.ca.der
+
 server1_ca.crt: server1.crt $(test_ca_crt)
 	cat server1.crt $(test_ca_crt) > $@
 all_final += server1_ca.crt
diff --git a/tests/data_files/server1.ca.der b/tests/data_files/server1.ca.der
new file mode 100644
index 000000000..a5ff059bc
Binary files /dev/null and b/tests/data_files/server1.ca.der differ
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index 6136a7923..90de6a576 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -277,6 +277,7 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd,
 
     if( crt.version >= MBEDTLS_X509_CRT_VERSION_3 )
     {
+        /* For the CA case, a path length of -1 means unlimited. */
         TEST_ASSERT( mbedtls_x509write_crt_set_basic_constraints( &crt, is_ca,
                                                                   (is_ca ? -1 : 0) ) == 0 );
         TEST_ASSERT( mbedtls_x509write_crt_set_subject_key_identifier( &crt ) == 0 );