diff --git a/certs/csr.ext.der b/certs/csr.ext.der
new file mode 100644
index 000000000..fd39dea6c
Binary files /dev/null and b/certs/csr.ext.der differ
diff --git a/certs/include.am b/certs/include.am
index 7d613b9ef..c7e70ad1a 100644
--- a/certs/include.am
+++ b/certs/include.am
@@ -55,7 +55,8 @@ EXTRA_DIST += \
 	     certs/client-cert-ext.pem \
 	     certs/csr.attr.der \
 	     certs/csr.dsa.pem \
-	     certs/csr.signed.der
+	     certs/csr.signed.der \
+	     certs/csr.ext.der
 
 EXTRA_DIST += \
 	     certs/ca-key.der \
diff --git a/tests/api.c b/tests/api.c
index 630dce6e3..5e55bdc1d 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -38183,11 +38183,13 @@ static void test_wolfSSL_X509_CRL(void)
 static void test_wolfSSL_d2i_X509_REQ(void)
 {
 #if defined(WOLFSSL_CERT_REQ) && (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA))
-    /* ./certs/csr.signed.der and ./certs/csr.attr.der were
+    /* ./certs/csr.signed.der, ./certs/csr.ext.der, and ./certs/csr.attr.der were
      * generated by libest
-     * ./certs/csr.attr.der contains sample attributes */
+     * ./certs/csr.attr.der contains sample attributes
+     * ./certs/csr.ext.der contains sample extensions */
     const char* csrFile = "./certs/csr.signed.der";
     const char* csrPopFile = "./certs/csr.attr.der";
+    const char* csrExtFile = "./certs/csr.ext.der";
     /* ./certs/csr.dsa.pem is generated using
      * openssl req -newkey dsa:certs/dsaparams.pem \
      *     -keyout certs/csr.dsa.key.pem -keyform PEM -out certs/csr.dsa.pem \
@@ -38249,6 +38251,42 @@ static void test_wolfSSL_d2i_X509_REQ(void)
         AssertStrEQ((char*)ASN1_STRING_data(at->value.asn1_string), "2xIE+qqp/rhyTXP+");
 #endif
 
+        X509_free(req);
+        BIO_free(bio);
+        EVP_PKEY_free(pub_key);
+    }
+    {
+#ifdef OPENSSL_ALL
+        X509_ATTRIBUTE* attr;
+        ASN1_TYPE *at;
+#endif
+        AssertNotNull(bio = BIO_new_file(csrExtFile, "rb"));
+        /* This CSR contains an Extension Request attribute so
+         * we test extension parsing in a CSR attribute here. */
+        AssertNotNull(d2i_X509_REQ_bio(bio, &req));
+
+        /*
+         * Extract the public key from the CSR
+         */
+        AssertNotNull(pub_key = X509_REQ_get_pubkey(req));
+
+        /*
+         * Verify the signature in the CSR
+         */
+        AssertIntEQ(X509_REQ_verify(req, pub_key), 1);
+
+#ifdef OPENSSL_ALL
+        /*
+         * Obtain the challenge password from the CSR
+         */
+        AssertIntEQ(X509_REQ_get_attr_by_NID(req, NID_pkcs9_challengePassword, -1),
+                NID_pkcs9_challengePassword);
+        AssertNotNull(attr = X509_REQ_get_attr(req, NID_pkcs9_challengePassword));
+        AssertNotNull(at = X509_ATTRIBUTE_get0_type(attr, 0));
+        AssertNotNull(at->value.asn1_string);
+        AssertStrEQ((char*)ASN1_STRING_data(at->value.asn1_string), "IGCu/xNL4/0/wOgo");
+#endif
+
         X509_free(req);
         BIO_free(bio);
         EVP_PKEY_free(pub_key);