diff --git a/core/src/test/java/google/registry/flows/TlsCredentialsTest.java b/core/src/test/java/google/registry/flows/TlsCredentialsTest.java
index 52adbf053..e3049b11d 100644
--- a/core/src/test/java/google/registry/flows/TlsCredentialsTest.java
+++ b/core/src/test/java/google/registry/flows/TlsCredentialsTest.java
@@ -17,6 +17,7 @@ package google.registry.flows;
 import static com.google.common.truth.Truth.assertThat;
 import static com.google.common.truth.Truth8.assertThat;
 import static google.registry.testing.CertificateSamples.SAMPLE_CERT;
+import static google.registry.testing.CertificateSamples.SAMPLE_CERT_HASH;
 import static google.registry.testing.DatabaseHelper.loadRegistrar;
 import static google.registry.testing.DatabaseHelper.persistResource;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
@@ -128,4 +129,18 @@ final class TlsCredentialsTest {
     // This would throw a RegistrarCertificateNotConfiguredException if cert hashes wren't bypassed.
     tls.validateCertificateHash(Registrar.loadByRegistrarId("TheRegistrar").get());
   }
+
+  @Test
+  void test_validateCertificateHash_passWithFailOverCerticate() throws Exception {
+    TlsCredentials tls =
+        new TlsCredentials(
+            false, Optional.of(SAMPLE_CERT_HASH), Optional.of("192.168.1.1"), certificateChecker);
+    persistResource(
+        loadRegistrar("TheRegistrar")
+            .asBuilder()
+            .setClientCertificate(null, clock.nowUtc())
+            .setFailoverClientCertificate(SAMPLE_CERT, clock.nowUtc())
+            .build());
+    tls.validateCertificateHash(Registrar.loadByRegistrarId("TheRegistrar").get());
+  }
 }