diff --git a/tests/api.c b/tests/api.c
index 6fb6bc9d0..ef093859f 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -248,6 +248,10 @@
     #include <wolfssl/wolfcrypt/asn.h>
 #endif
 
+#ifdef WOLFSSL_SMALL_CERT_VERIFY
+    #include <wolfssl/wolfcrypt/asn.h>
+#endif
+
 #if defined(WOLFSSL_SHA3) || defined(HAVE_PKCS7) || !defined(NO_RSA)
     static int  devId = INVALID_DEVID;
 #endif
@@ -19454,6 +19458,77 @@ static void test_wc_GetSubjectRaw(void)
 #endif
 }
 
+static void test_CheckCertSignature(void)
+{
+#if !defined(NO_CERTS) && defined(WOLFSSL_SMALL_CERT_VERIFY)
+    WOLFSSL_CERT_MANAGER* cm = NULL;
+#if !defined(NO_FILESYSTEM)
+    FILE* fp;
+    byte  cert[4096];
+    int   certSz;
+#endif
+
+    AssertIntEQ(BAD_FUNC_ARG, CheckCertSignature(NULL, 0, NULL, NULL));
+    AssertNotNull(cm = wolfSSL_CertManagerNew_ex(NULL));
+    AssertIntEQ(BAD_FUNC_ARG, CheckCertSignature(NULL, 0, NULL, cm));
+
+#ifndef NO_RSA
+#ifdef USE_CERT_BUFFERS_1024
+    AssertIntEQ(ASN_NO_SIGNER_E, CheckCertSignature(server_cert_der_1024,
+                sizeof_server_cert_der_1024, NULL, cm));
+    AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CertManagerLoadCABuffer(cm,
+                ca_cert_der_1024, sizeof_ca_cert_der_1024,
+                WOLFSSL_FILETYPE_ASN1));
+    AssertIntEQ(0, CheckCertSignature(server_cert_der_1024,
+                sizeof_server_cert_der_1024, NULL, cm));
+#elif defined(USE_CERT_BUFFERS_2048)
+    AssertIntEQ(ASN_NO_SIGNER_E, CheckCertSignature(server_cert_der_2048,
+                sizeof_server_cert_der_2048, NULL, cm));
+    AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CertManagerLoadCABuffer(cm,
+                ca_cert_der_2048, sizeof_ca_cert_der_2048,
+                WOLFSSL_FILETYPE_ASN1));
+    AssertIntEQ(0, CheckCertSignature(server_cert_der_2048,
+                sizeof_server_cert_der_2048, NULL, cm));
+#endif
+#endif
+
+#if defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256)
+    AssertIntEQ(ASN_NO_SIGNER_E, CheckCertSignature(serv_ecc_der_256,
+                sizeof_serv_ecc_der_256, NULL, cm));
+    AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CertManagerLoadCABuffer(cm,
+                ca_ecc_cert_der_256, sizeof_ca_ecc_cert_der_256,
+                WOLFSSL_FILETYPE_ASN1));
+    AssertIntEQ(0, CheckCertSignature(serv_ecc_der_256, sizeof_serv_ecc_der_256,
+                NULL, cm));
+#endif
+
+#if !defined(NO_FILESYSTEM)
+    wolfSSL_CertManagerFree(cm);
+    AssertNotNull(cm = wolfSSL_CertManagerNew_ex(NULL));
+#ifndef NO_RSA
+    AssertNotNull(fp = XFOPEN("./certs/server-cert.der", "rb"));
+    AssertIntGT((certSz = (int)XFREAD(cert, 1, sizeof(cert), fp)), 0);
+    XFCLOSE(fp);
+    AssertIntEQ(ASN_NO_SIGNER_E, CheckCertSignature(cert, certSz, NULL, cm));
+    AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CertManagerLoadCA(cm,
+                "./certs/ca-cert.pem", NULL));
+    AssertIntEQ(0, CheckCertSignature(cert, certSz, NULL, cm));
+#endif
+#ifdef HAVE_ECC
+    AssertNotNull(fp = XFOPEN("./certs/server-ecc.der", "rb"));
+    AssertIntGT((certSz = (int)XFREAD(cert, 1, sizeof(cert), fp)), 0);
+    XFCLOSE(fp);
+    AssertIntEQ(ASN_NO_SIGNER_E, CheckCertSignature(cert, certSz, NULL, cm));
+    AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_CertManagerLoadCA(cm,
+                "./certs/ca-ecc-cert.pem", NULL));
+    AssertIntEQ(0, CheckCertSignature(cert, certSz, NULL, cm));
+#endif
+#endif
+
+    wolfSSL_CertManagerFree(cm);
+#endif
+}
+
 /*----------------------------------------------------------------------------*
  | wolfCrypt ECC
  *----------------------------------------------------------------------------*/
@@ -20696,6 +20771,7 @@ void ApiTest(void)
     test_wc_GetPkcs8TraditionalOffset();
     test_wc_SetSubjectRaw();
     test_wc_GetSubjectRaw();
+    test_CheckCertSignature();
 
     /* wolfCrypt ECC tests */
     test_wc_ecc_get_curve_size_from_name();
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 2ab357dd3..2c0139adb 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -7106,7 +7106,7 @@ static Signer* GetCABySubjectAndPubKey(DecodedCert* cert, void* cm)
  * Doesn't support:
  *   OCSP Only: alt lookup using subject and pub key w/o sig check
  */
-int CheckCertSignature(byte* cert, word32 certSz, void* heap, void* cm)
+int CheckCertSignature(const byte* cert, word32 certSz, void* heap, void* cm)
 {
 #ifndef WOLFSSL_SMALL_STACK
     SignatureCtx  sigCtx[1];
@@ -7131,6 +7131,10 @@ int CheckCertSignature(byte* cert, word32 certSz, void* heap, void* cm)
 #endif
     int           ret = 0;
 
+    if (cert == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
 #ifdef WOLFSSL_SMALL_STACK
     sigCtx = XMALLOC(sizeof(*sigCtx), heap, DYNAMIC_TYPE_SIGNATURE);
     if (sigCtx == NULL)
diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
index 5badf16aa..c76d52b4c 100644
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@@ -859,7 +859,7 @@ WOLFSSL_ASN_API void FreeDecodedCert(DecodedCert*);
 WOLFSSL_ASN_API int  ParseCert(DecodedCert*, int type, int verify, void* cm);
 
 WOLFSSL_LOCAL int DecodePolicyOID(char *o, word32 oSz, byte *in, word32 inSz);
-WOLFSSL_LOCAL int CheckCertSignature(byte*,word32,void*,void* cm);
+WOLFSSL_API int CheckCertSignature(const byte*,word32,void*,void* cm);
 WOLFSSL_LOCAL int ParseCertRelative(DecodedCert*,int type,int verify,void* cm);
 WOLFSSL_LOCAL int DecodeToKey(DecodedCert*, int verify);