diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index 11a6636863..e10e086005 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
 
 $no_rc2 = 1 if disabled("legacy");
 
-plan tests => 14;
+plan tests => 15;
 
 ok(run(test(["pkcs7_test"])), "test pkcs7");
 
@@ -889,6 +889,50 @@ subtest "CMS signed digest, S/MIME format" => sub {
        "Verify CMS signed digest, S/MIME format");
 };
 
+subtest "CMS code signing test" => sub {
+    plan tests => 7;
+    my $sig_file = "signature.p7s";
+    ok(run(app(["openssl", "cms", @prov, "-sign", "-in", $smcont,
+                   "-certfile", catfile($smdir, "smroot.pem"),
+                   "-signer", catfile($smdir, "smrsa1.pem"),
+                   "-out", $sig_file])),
+       "accept perform CMS signature with smime certificate");
+
+    ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
+                    "-CAfile", catfile($smdir, "smroot.pem"),
+                    "-content", $smcont])),
+       "accept verify CMS signature with smime certificate");
+
+    ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
+                    "-CAfile", catfile($smdir, "smroot.pem"),
+                    "-purpose", "codesign",
+                    "-content", $smcont])),
+       "fail verify CMS signature with smime certificate for purpose code signing");
+
+    ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
+                    "-CAfile", catfile($smdir, "smroot.pem"),
+                    "-purpose", "football",
+                    "-content", $smcont])),
+       "fail verify CMS signature with invalid purpose argument");
+
+    ok(run(app(["openssl", "cms", @prov, "-sign", "-in", $smcont,
+                   "-certfile", catfile($smdir, "smroot.pem"),
+                   "-signer", catfile($smdir, "csrsa1.pem"),
+                   "-out", $sig_file])),
+        "accept perform CMS signature with code signing certificate");
+
+    ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
+                    "-CAfile", catfile($smdir, "smroot.pem"),
+                    "-purpose", "codesign",
+                    "-content", $smcont])),
+       "accept verify CMS signature with code signing certificate for purpose code signing");
+
+    ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
+                    "-CAfile", catfile($smdir, "smroot.pem"),
+                    "-content", $smcont])),
+       "fail verify CMS signature with code signing certificate for purpose smime_sign");
+};
+
 sub check_availability {
     my $tnam = shift;
 
diff --git a/test/smime-certs/ca.cnf b/test/smime-certs/ca.cnf
index 31bddea1fa..7d453e8957 100644
--- a/test/smime-certs/ca.cnf
+++ b/test/smime-certs/ca.cnf
@@ -54,6 +54,15 @@ keyUsage=critical, keyAgreement
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
 
+[ codesign_cert ]
+
+# These extensions are added when 'ca' signs a request for a code-signing
+# end-entity certificate
+
+basicConstraints=CA:FALSE
+keyUsage=critical, digitalSignature
+extendedKeyUsage=codeSigning
+
 [ v3_ca ]
 
 
diff --git a/test/smime-certs/csrsa1.pem b/test/smime-certs/csrsa1.pem
new file mode 100644
index 0000000000..d3276d9ec7
--- /dev/null
+++ b/test/smime-certs/csrsa1.pem
@@ -0,0 +1,50 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCo/4lYYYWu3tss
+D9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT5Rcf/w3G
+Q/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1lDz9mjsI2
+oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1U7OWaoIb
+FYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5ep5LR2in
+Kcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tniIQPYf55
+NB9KiR+3AgMBAAECggEAFvp/40uHUMquhGQ2wsl5/zzVV6ZECFGhIaoVdwiq7Npl
+cERPGSxdt7mXg+AliGQO2JXIf4iDx273oYC3PFuWbn9YMQd5RUuAZ/oD+hB25QB8
+vmGJTeqDUgZ0+4qs0fsM5upPUqFrHnfEwoarS9oMh0HEQi9yWzHy7E/E9Rk0dm8Q
+qAwfKKqqwBe0RIp6GOwRJ2AO4NLvPh1oddVX15zvVeDP5pmHScZKtGXf9sIKfJJo
+JN7N5UaviOKEGpQtxKVNOjn1wYusvzrvz3U3TmvyXTGkPCdSxK/6bz0LN+Lwyfzw
+RpSoNUe/cREZJkXDIIaqvmzlQVk1aKDdAx4+8ltyWQKBgQDahgSMZAAeGuQwtI+S
+jor9dNWcxEr5Uf/iw5gWmp5E59CSyc35Zj5rdf4M12X7jPRqAbFcM6FgERtbKyYd
+lg+PGgcKMYXKXJWimA6xU06+wwRl1iI/j718FCLeov6Lt17VHr8sjO3GiZ/WtHz1
+H6mqV8i9vcClmA6IyS+EQvtkBQKBgQDF+y0JwcbEzS3YqTHy4DGQtcCOkcLi+WM5
+APch7pev4I9MTgZdRnC6ZjnYKXQU9nzALZrH1PoHnFRZbsXbCFsmTdh/6g1L0b7B
+/zfZhB+9LiB7NBpfHiUydj1JQfkw/EvnLbs7r5EYGbpkMhpzmmzE9Yv0d+xj1CPd
+6kz/6CRdiwKBgBE1ZpxLr7qvMXModPn8obNuBPhweNsDexw3fP2itX4Fp2Y34DGY
+vKenxhbqy4wwwHqsoXP6WOYA0t+uGTVRQO5rBUznM3sJKXuBb/7E6bmaD/mZEF9j
+CXABAfH4cgU8roon/rQacQsmgWDeG80N7kWM3jEbBVXFELfy5/wJblSlAoGAUZax
+eNPiljf4LNGNRAogYwKD2D05k1AzE8rSDanF2TUx2MBO3yGoUyjNrcdnjzwFLS2e
+G7wpTfmeyTxdTWakKaTrE8vgrt5BPrFu0rUgX1YjDKLsO0axDZqspwQJLabLoPm3
+r2Eq6kOwDJqZTArXyFNo2daSFJHYNhvYn52LXwECgYB9CRrPMe0sWdbVPm55bXGM
+Ern05LQuaLaDZjsbsaH9Q5YPk99Sq7jklyQ3ZuHodSLAArHGu/96uu66xtMrRYcj
+c89fqFeqc/BwnkodvWJ3K80UNulnjfOcPVAPHaAr9GE9rJcjICNpu2+wJ2wi4JAF
+rLxFTZXBDbnGZ9QtcGcJSw==
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDjTCCAnWgAwIBAgIUGi+UX00em2j4v8bJ1scHsD41/ccwDQYJKoZIhvcNAQEL
+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDgxNjExNTgwMFoYDzIxMjIw
+ODE2MTE1ODAwWjBHMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
+cDEgMB4GA1UEAwwXVGVzdCBDb2RlU2lnbiBFRSBSU0EgIzEwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lYYYWu3tssD9Vz++K3qBt6dWAr1H08c3a1
+rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJT
+YgVFTeAxl++qnRDSWA2eBp4yuxsIVl1lDz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4
+I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFk
+ijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5ep5LR2inKcc/SuIiJ7TvkGPX79ByST5b
+rbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tniIQPYf55NB9KiR+3AgMBAAGjcjBwMAkG
+A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB0G
+A1UdDgQWBBTnm+IqrYpsOst2UeWOB5gil+FzojAfBgNVHSMEGDAWgBQVwRMha+JV
+X6dqHVcg1s/zqXNkWTANBgkqhkiG9w0BAQsFAAOCAQEAMpLHe2q3OYJ8kKYAvjS5
+VDiESqPPVyYMSKb6B7bsex/BgFArxmk+8hOpuyuqSoejiyVAO9re/JrmQetM1tNo
+7kd9R3WDL1D34hG7kgDTAaqbcBPDUc7gin8bTkZ3TJ6b7cUJrwh9XCwWXTcOlJ1O
+5wXeF9mATyHZGwChOrroiEzDkRoOdePj0sKNZZRopjOVZ50d/X8JMCmW/x8lvOui
+R+uDTotH9+sb3tghJ0cmpVKkFC0pXS/0DB5qVHrohJdkwLRu8AX3CWbcQgHWg7BR
+ZbQ6TamQB8AlXdYj8Fs7m7DMkkmBxjrQUu3s7FRTALxp/lqMcoaZy+bdBzd59GaO
+FQ==
+-----END CERTIFICATE-----
diff --git a/test/smime-certs/mksmime-certs.sh b/test/smime-certs/mksmime-certs.sh
index 109b9c4abc..498190bcca 100644
--- a/test/smime-certs/mksmime-certs.sh
+++ b/test/smime-certs/mksmime-certs.sh
@@ -81,5 +81,14 @@ CN="Test S/MIME EE DH #1" $OPENSSL req -config ca.cnf -noenc \
 $OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
 	-force_pubkey dhpub.pem \
 	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdh.pem
+
+# EE RSA code signing certificates: create request first
+CN="Test CodeSign EE RSA #1" $OPENSSL req -config ca.cnf -noenc \
+	-new -out req.pem -key ../certs/ee-key.pem
+cat ../certs/ee-key.pem > csrsa1.pem
+# Sign request: end entity extensions
+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36524 -extfile ca.cnf \
+	-extensions codesign_cert >>csrsa1.pem
+
 # Remove temp files.
 rm -f req.pem ecp.pem ecp2.pem dsap.pem dhp.pem dhpub.pem smtmp.pem smroot.srl