diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c
index 80204b6578..e200175160 100644
--- a/tests/virnettlscontexttest.c
+++ b/tests/virnettlscontexttest.c
@@ -870,6 +870,16 @@ mymain(void)
         false, false, NULL, NULL,
         0, 0,
     };
+
+    DO_CTX_TEST(true, cacert1req, servercertreq, false);
+    DO_CTX_TEST(true, cacert2req, servercertreq, false);
+# if 0
+    DO_CTX_TEST(true, cacert3req, servercertreq, false);
+# endif
+    DO_CTX_TEST(true, cacert4req, servercertreq, false);
+
+    /* Now some bad certs */
+
     /* Key usage:dig-sig:not-critical */
     static struct testTLSCertReq cacert5req = {
         NULL, NULL, "cacert5.pem", "UK",
@@ -879,17 +889,6 @@ mymain(void)
         false, false, NULL, NULL,
         0, 0,
     };
-
-    DO_CTX_TEST(true, cacert1req, servercertreq, false);
-    DO_CTX_TEST(true, cacert2req, servercertreq, false);
-# if 0
-    DO_CTX_TEST(true, cacert3req, servercertreq, false);
-# endif
-    DO_CTX_TEST(true, cacert4req, servercertreq, false);
-    DO_CTX_TEST(true, cacert5req, servercertreq, false);
-
-    /* Now some bad certs */
-
     /* no-basic */
     static struct testTLSCertReq cacert6req = {
         NULL, NULL, "cacert6.pem", "UK",
@@ -909,6 +908,12 @@ mymain(void)
         0, 0,
     };
 
+    /* Technically a CA cert with basic constraints
+     * key purpose == key signing + non-critical should
+     * be rejected. GNUTLS < 3 does not reject it and
+     * we don't anticipate them changing this behaviour
+     */
+    DO_CTX_TEST(true, cacert5req, servercertreq, GNUTLS_VERSION_MAJOR >= 3);
     DO_CTX_TEST(true, cacert6req, servercertreq, true);
     DO_CTX_TEST(true, cacert7req, servercertreq, true);