diff --git a/tests/integration.rs b/tests/integration.rs
index 598641d3..f3adc124 100644
--- a/tests/integration.rs
+++ b/tests/integration.rs
@@ -53,6 +53,21 @@ pub fn netflix() {
     );
 }
 
+#[test]
+pub fn rewritten_cert() {
+    // This cert is a rewritten version of github.com's end entity cert, generated by an
+    // SSL inspection system (https://www.forcepoint.com/product/ngfw-next-generation-firewall).
+    // We believe the cert should be considered valid:
+    //   - It can be parsed by OpenSSL, e.g., these both work:
+    //     `openssl x509  -inform der -in tests/rewritten_cert.der -text -noout`
+    //     `openssl asn1parse -i -inform der -in tests/rewritten_cert.der`
+    //   - It's generated by a robust real-world system that works in practice...
+    // We encountered an issue where rustls cannot handle this rewritten cert. We traced this
+    // back to webpki, and specifically to the code exercised by this test.
+    let ee: &[u8] = include_bytes!("rewritten_cert.der");
+    webpki::EndEntityCert::try_from(ee).unwrap();
+}
+
 #[test]
 pub fn ed25519() {
     let ee: &[u8] = include_bytes!("ed25519/ee.der");
diff --git a/tests/rewritten_cert.der b/tests/rewritten_cert.der
new file mode 100644
index 00000000..7d0cd40c
Binary files /dev/null and b/tests/rewritten_cert.der differ