diff --git a/cmd/admin/key_test.go b/cmd/admin/key_test.go
index 40ce3ed3325..c5f7a1e6080 100644
--- a/cmd/admin/key_test.go
+++ b/cmd/admin/key_test.go
@@ -68,19 +68,35 @@ func TestSPKIHashesFromFile(t *testing.T) {
 	}
 }
 
-// This CSR has had its final bit flipped in the signature
 // The key is the p256 test key from RFC9500
-const badCSR = `
+const goodCSR = `
 -----BEGIN CERTIFICATE REQUEST-----
 MIG6MGICAQAwADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEIlSPiPt4L/teyj
 dERSxyoeVY+9b3O+XkjpMjLMRcWxbEzRDEy41bihcTnpSILImSVymTQl9BQZq36Q
 pCpJQnKgADAKBggqhkjOPQQDAgNIADBFAiBadw3gvL9IjUfASUTa7MvmkbC4ZCvl
-21m1KMwkIx/+CQIhAKvuyfCcdZ0cWJYOXCOb1OavolWHIUzgEpNGUWul6O0t
+21m1KMwkIx/+CQIhAKvuyfCcdZ0cWJYOXCOb1OavolWHIUzgEpNGUWul6O0s
 -----END CERTIFICATE REQUEST-----
 `
 
 // TestCSR checks that we get the correct SPKI from a CSR, even if its signature is invalid
 func TestCSR(t *testing.T) {
+	expectedSPKIHash := "b2b04340cfaee616ec9c2c62d261b208e54bb197498df52e8cadede23ac0ba5e"
+
+	goodCSRFile := path.Join(t.TempDir(), "good.csr")
+	err := os.WriteFile(goodCSRFile, []byte(goodCSR), 0600)
+	test.AssertNotError(t, err, "writing good csr")
+
+	goodHash, err := spkiHashFromCSRPEM(goodCSRFile, true)
+	test.AssertNotError(t, err, "expected to read CSR")
+
+	if len(goodHash) != 1 {
+		t.Fatalf("expected to read 1 SPKI from CSR, read %d", len(goodHash))
+	}
+	test.AssertEquals(t, hex.EncodeToString(goodHash[0]), expectedSPKIHash)
+
+	// Flip a bit, in the signature, to make a bad CSR:
+	badCSR := strings.Replace(goodCSR, "Wul6", "Wul7", 1)
+
 	csrFile := path.Join(t.TempDir(), "bad.csr")
 	err := os.WriteFile(csrFile, []byte(badCSR), 0600)
 	test.AssertNotError(t, err, "writing bad csr")
@@ -88,14 +104,13 @@ func TestCSR(t *testing.T) {
 	_, err = spkiHashFromCSRPEM(csrFile, true)
 	test.AssertError(t, err, "expected invalid signature")
 
-	hashes, err := spkiHashFromCSRPEM(csrFile, false)
+	badHash, err := spkiHashFromCSRPEM(csrFile, false)
 	test.AssertNotError(t, err, "expected to read CSR with bad signature")
 
-	if len(hashes) != 1 {
-		t.Fatalf("expected to read 1 SPKI from CSR, read %d", len(hashes))
+	if len(badHash) != 1 {
+		t.Fatalf("expected to read 1 SPKI from CSR, read %d", len(badHash))
 	}
-	expected := "b2b04340cfaee616ec9c2c62d261b208e54bb197498df52e8cadede23ac0ba5e"
-	test.AssertEquals(t, hex.EncodeToString(hashes[0]), expected)
+	test.AssertEquals(t, hex.EncodeToString(badHash[0]), expectedSPKIHash)
 }
 
 // mockSARecordingBlocks is a mock which only implements the AddBlockedKey gRPC