diff --git a/tests/setup-kryoptic.sh b/tests/setup-kryoptic.sh
index 50426966..178c797e 100755
--- a/tests/setup-kryoptic.sh
+++ b/tests/setup-kryoptic.sh
@@ -125,7 +125,8 @@ SERIAL=1
 title LINE "Creating new Self Sign CA"
 KEYID='0000'
 URIKEYID="%00%00"
-CACRT="${TMPPDIR}/CAcert"
+CACRT="${TMPPDIR}/CAcert.crt"
+CACRT_PEM="${TMPPDIR}/CAcert.pem"
 CACRTN="caCert"
 
 
@@ -133,14 +134,17 @@ CACRTN="caCert"
 # shellcheck disable=SC2086
 pkcs11-tool ${P11DEFARGS} --keypairgen --key-type="RSA:2048" \
 	--label="${CACRTN}" --id="${KEYID}" 2>&1
-"${certtool}" --generate-self-signed --outfile="${CACRT}.crt" \
+"${certtool}" --generate-self-signed --outfile="${CACRT}" \
 	--template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \
         --load-privkey "pkcs11:object=$CACRTN;type=private" \
         --load-pubkey "pkcs11:object=$CACRTN;type=public" --outder 2>&1
 # shellcheck disable=SC2086
-pkcs11-tool ${P11DEFARGS} --write-object "${CACRT}.crt" --type=cert \
+pkcs11-tool ${P11DEFARGS} --write-object "${CACRT}" --type=cert \
         --id=$KEYID --label="$CACRTN" 2>&1
 
+# convert the DER cert to PEM
+openssl x509 -inform DER -in "$CACRT" -outform PEM > "$CACRT_PEM"
+
 # the organization identification is not in the CA
 echo 'organization = "PKCS11 Provider"' >> "${TMPPDIR}/cert.cfg"
 
@@ -159,7 +163,7 @@ ca_sign() {
         --template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \
 	--load-privkey "pkcs11:object=$LABEL;type=private" \
         --load-pubkey "pkcs11:object=$LABEL;type=public" --outder \
-        --load-ca-certificate "${CACRT}.crt" --inder \
+        --load-ca-certificate "${CACRT}" --inder \
         --load-ca-privkey="pkcs11:object=$CACRTN;type=private" 2>&1
 # shellcheck disable=SC2086
     pkcs11-tool ${P11DEFARGS} --write-object "${CRT}.crt" --type=cert \
@@ -409,6 +413,8 @@ export KRYOPTIC_CONF="${TMPPDIR}/tokens/kryoptic.sql"
 export TESTSSRCDIR="${TESTSSRCDIR}"
 export TESTBLDDIR="${TESTBLDDIR}"
 
+export CACRT="${CACRT_PEM}"
+
 export TOKDIR="${TOKDIR}"
 export TMPPDIR="${TMPPDIR}"
 export PINVALUE="${PINVALUE}"
diff --git a/tests/setup-softhsm.sh b/tests/setup-softhsm.sh
index 24fcbf4f..f037432a 100755
--- a/tests/setup-softhsm.sh
+++ b/tests/setup-softhsm.sh
@@ -126,18 +126,22 @@ softhsm2-util --init-token --label "token_name" --free --pin $PINVALUE --so-pin
 title LINE "Creating new Self Sign CA"
 KEYID='0000'
 URIKEYID="%00%00"
-CACRT="${TMPPDIR}/CAcert"
+CACRT="${TMPPDIR}/CAcert.crt"
+CACRT_PEM="${TMPPDIR}/CAcert.pem"
 CACRTN="caCert"
 ((SERIAL+=1))
 pkcs11-tool --keypairgen --key-type="RSA:2048" --login --pin=$PINVALUE \
 	--module="$P11LIB" --label="${CACRTN}" --id="$KEYID"
-"${certtool}" --generate-self-signed --outfile="${CACRT}.crt" \
+"${certtool}" --generate-self-signed --outfile="${CACRT}" \
 	--template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \
         --load-privkey "pkcs11:object=$CACRTN;type=private" \
         --load-pubkey "pkcs11:object=$CACRTN;type=public" --outder
-pkcs11-tool --write-object "${CACRT}.crt" --type=cert --id=$KEYID \
+pkcs11-tool --write-object "${CACRT}" --type=cert --id=$KEYID \
         --label="$CACRTN" --module="$P11LIB"
 
+# convert the DER cert to PEM
+openssl x509 -inform DER -in "$CACRT" -outform PEM > "$CACRT_PEM"
+
 # the organization identification is not in the CA
 echo 'organization = "PKCS11 Provider"' >> "${TMPPDIR}/cert.cfg"
 
@@ -156,7 +160,7 @@ ca_sign() {
         --template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \
 	--load-privkey "pkcs11:object=$LABEL;type=private" \
         --load-pubkey "pkcs11:object=$LABEL;type=public" --outder \
-        --load-ca-certificate "${CACRT}.crt" --inder \
+        --load-ca-certificate "${CACRT}" --inder \
         --load-ca-privkey="pkcs11:object=$CACRTN;type=private"
     pkcs11-tool --write-object "${CRT}.crt" --type=cert --id="$KEYID" \
         --label="$LABEL" --module="$P11LIB"
@@ -400,6 +404,8 @@ export PINVALUE="${PINVALUE}"
 export SEEDFILE="${TMPPDIR}/noisefile.bin"
 export RAND64FILE="${TMPPDIR}/64krandom.bin"
 
+export CACRT="${CACRT_PEM}"
+
 export BASEURIWITHPINVALUE="${BASEURIWITHPINVALUE}"
 export BASEURIWITHPINSOURCE="${BASEURIWITHPINSOURCE}"
 export BASEURI="${BASEURI}"
diff --git a/tests/setup-softokn.sh b/tests/setup-softokn.sh
index 5ec75f92..1a25eca2 100755
--- a/tests/setup-softokn.sh
+++ b/tests/setup-softokn.sh
@@ -42,7 +42,8 @@ certutil -N -d "${TOKDIR}" -f "${PINFILE}"
 
 title LINE "Creating new Self Sign CA"
 ((SERIAL+=1))
-certutil -S -s "CN=Issuer" -n selfCA -x -t "C,C,C" \
+CACRTN="selfCA"
+certutil -S -s "CN=Issuer" -n "${CACRTN}" -x -t "C,C,C" \
     -m "${SERIAL}" -1 -2 -5 --keyUsage certSigning,crlSigning \
     --nsCertType sslCA,smimeCA,objectSigningCA \
     -f "${PINFILE}" -d "${TOKDIR}" -z "${SEEDFILE}" >/dev/null 2>&1 <<CERTSCRIPT
@@ -51,6 +52,10 @@ y
 n
 CERTSCRIPT
 
+CACRT="${TMPPDIR}/CAcert.crt"
+title LINE "Read CA cert of of the token"
+certutil -L -a -n "${CACRTN}" -d "${TOKDIR}" -o "$CACRT"
+
 # RSA
 TSTCRT="${TMPPDIR}/testcert"
 TSTCRTN="testCert"
@@ -181,6 +186,8 @@ export PINVALUE="${PINVALUE}"
 export SEEDFILE="${TMPPDIR}/noisefile.bin"
 export RAND64FILE="${TMPPDIR}/64krandom.bin"
 
+export CACRT="${CACRT}"
+
 export BASEURIWITHPINVALUE="${BASEURIWITHPINVALUE}"
 export BASEURIWITHPINSOURCE="${BASEURIWITHPINSOURCE}"
 export BASEURI="${BASEURI}"
diff --git a/tests/ttls b/tests/ttls
index cf212fe0..b0a64617 100755
--- a/tests/ttls
+++ b/tests/ttls
@@ -53,7 +53,7 @@ run_test() {
 
     read -r < "${TMPPDIR}/s_server_ready"
 
-    expect -c "spawn $CHECKER openssl s_client -connect \"localhost:${PORT}\" $CLNT_ARGS;
+    expect -c "spawn $CHECKER openssl s_client -connect \"localhost:${PORT}\" -CAfile \"${CACRT}\" $CLNT_ARGS;
         set timeout 60;
         expect {
             \" TLS SUCCESSFUL \" {};