diff --git a/pkg/util/pki/csr_test.go b/pkg/util/pki/csr_test.go
index 4430db6d4..b2f746732 100644
--- a/pkg/util/pki/csr_test.go
+++ b/pkg/util/pki/csr_test.go
@@ -416,6 +416,32 @@ func TestGenerateCSR(t *testing.T) {
 		},
 	}
 
+	basicConstraintsValue, err := asn1.Marshal(struct {
+		IsCA bool
+	}{
+		IsCA: true,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// 0xa0 = DigitalSignature, Encipherment and KeyCertSign usage
+	asn1KeyUsageWithCa, err := asn1.Marshal(asn1.BitString{Bytes: []byte{0xa4}, BitLength: asn1BitLength([]byte{0xa4})})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	basicConstraintsExtensions := []pkix.Extension{
+		{
+			Id:    OIDExtensionKeyUsage,
+			Value: asn1KeyUsageWithCa,
+		},
+		{
+			Id:    OIDExtensionBasicConstraints,
+			Value: basicConstraintsValue,
+		},
+	}
+
 	exampleLiteralSubject := "CN=actual-cn, OU=FooLong, OU=Bar, O=example.org"
 	rawExampleLiteralSubject, err := ParseSubjectStringToRawDerBytes(exampleLiteralSubject)
 	if err != nil {
@@ -457,6 +483,17 @@ func TestGenerateCSR(t *testing.T) {
 				ExtraExtensions:    defaultExtraExtensions,
 			},
 		},
+		{
+			name: "Generate CSR from certificate with isCA set",
+			crt:  &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.org", IsCA: true}},
+			want: &x509.CertificateRequest{
+				Version:            0,
+				SignatureAlgorithm: x509.SHA256WithRSA,
+				PublicKeyAlgorithm: x509.RSA,
+				Subject:            pkix.Name{CommonName: "example.org"},
+				ExtraExtensions:    basicConstraintsExtensions,
+			},
+		},
 		{
 			name: "Generate CSR from certificate with extended key usages",
 			crt:  &cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "example.org", Usages: []cmapi.KeyUsage{cmapi.UsageDigitalSignature, cmapi.UsageKeyEncipherment, cmapi.UsageIPsecEndSystem}}},