diff --git a/test/fixtures/certificates.yml b/test/fixtures/certificates.yml
new file mode 100644
index 000000000..c91df3ace
--- /dev/null
+++ b/test/fixtures/certificates.yml
@@ -0,0 +1,7 @@
+one:
+  api_user: api_bestnames
+  common_name: registry.test
+  crt: "-----BEGIN CERTIFICATE-----\nMIICYjCCAcugAwIBAgIBADANBgkqhkiG9w0BAQ0FADBNMQswCQYDVQQGEwJ1czEO\nMAwGA1UECAwFVGV4YXMxFjAUBgNVBAoMDVJlZ2lzdHJ5IHRlc3QxFjAUBgNVBAMM\nDXJlZ2lzdHJ5LnRlc3QwIBcNMjAwNTA1MTIzNzQxWhgPMjEyMDA0MTExMjM3NDFa\nME0xCzAJBgNVBAYTAnVzMQ4wDAYDVQQIDAVUZXhhczEWMBQGA1UECgwNUmVnaXN0\ncnkgdGVzdDEWMBQGA1UEAwwNcmVnaXN0cnkudGVzdDCBnzANBgkqhkiG9w0BAQEF\nAAOBjQAwgYkCgYEAyn+GCkUJIhdXVBOPrZH+Zj2B/tQfL5TLZwVYZQt38x6GQT+4\n6ndty467IJvKSUlHej7uMpsCzC8Ffmda4cZm16jO1vUb4hXIrmeKP84zLrrUpKag\ngZR4rBDbG2+uL4SzMyy3yeQysYuTiQ4N1i4vdhvkKYPSWIht/QFvuzdFq+0CAwEA\nAaNQME4wHQYDVR0OBBYEFD6B5j6NnMCDBnfbtjBYKBJM7sCRMB8GA1UdIwQYMBaA\nFD6B5j6NnMCDBnfbtjBYKBJM7sCRMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEN\nBQADgYEArtCR6VOabD3nM/KlZTmHMZVT4ntenYlNTM9FS0RatzPmdh4REhykvmZs\nOlBcpoV5tN5Y8bHOVRqY9V2e903QEhQgoccQhbt0Py6uFwfLv+WLKAUbeGnPqK9d\ndL3wXN9BQs0hJA6IZNFyz2F/gSTURrD1zWW2na3ipRzhupW5+98=\n-----END CERTIFICATE-----\n"
+  md5: e6771ed5dc857a1dbcc1e0a36baa1fee
+  interface: api
+  revoked: false
diff --git a/test/models/api_user_test.rb b/test/models/api_user_test.rb
index 20d655a9c..dd907f75c 100644
--- a/test/models/api_user_test.rb
+++ b/test/models/api_user_test.rb
@@ -63,6 +63,21 @@ class ApiUserTest < ActiveSupport::TestCase
     assert_nil ApiUser.find_by_id_card(id_card)
   end
 
+  def test_verifies_pki_status
+    certificate = certificates(:one)
+
+    assert @user.pki_ok?(certificate.crt, certificate.common_name, api: true)
+    assert_not @user.pki_ok?(certificate.crt, 'invalid-cn', api: true)
+
+    certificate.update(interface: 'registrar')
+
+    assert @user.pki_ok?(certificate.crt, certificate.common_name, api: false)
+    assert_not @user.pki_ok?(certificate.crt, 'invalid-cn', api: false)
+
+    certificate.update(revoked: true)
+    assert_not @user.pki_ok?(certificate.crt, certificate.common_name, api: false)
+  end
+
   private
 
   def valid_user