diff --git a/ca/certificate-authority_test.go b/ca/certificate-authority_test.go
index 0964a39b2..084f50543 100644
--- a/ca/certificate-authority_test.go
+++ b/ca/certificate-authority_test.go
@@ -563,6 +563,12 @@ func TestRejectValidityTooLong(t *testing.T) {
 	test.AssertNotError(t, err, "Failed to create CA")
 	ca.SA = storageAuthority
 
+	// Test that the CA rejects CSRs that would expire after the intermediate cert
+	csrDER, _ := hex.DecodeString(NO_CN_CSR_HEX)
+	csr, _ := x509.ParseCertificateRequest(csrDER)
+	_, err = ca.IssueCertificate(*csr, 1, FarPast)
+	test.Assert(t, err != nil, "Cannot issue a certificate that expires after the underlying authorization.")
+
 	// Test that the CA rejects CSRs that would expire after the intermediate cert
 	csrDER, _ = hex.DecodeString(NO_CN_CSR_HEX)
 	csr, _ = x509.ParseCertificateRequest(csrDER)