diff --git a/pkg/vpn/utils_test.go b/pkg/vpn/utils_test.go
new file mode 100644
index 0000000000000000000000000000000000000000..67251bfca9e29583c777f0581816895f42c08986
--- /dev/null
+++ b/pkg/vpn/utils_test.go
@@ -0,0 +1,53 @@
+package vpn
+
+import (
+	"os"
+	"testing"
+
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/stretchr/testify/require"
+)
+
+func init() {
+	log.Logger = zerolog.New(zerolog.ConsoleWriter{Out: os.Stdout}).With().Timestamp().Logger()
+}
+
+func TestIsValidCertExpired(t *testing.T) {
+	certFile := "testdata/expired.pem"
+	require.False(t, isValidCert(certFile), "The test with the expired pem failed")
+}
+
+func TestIsValidCertEmpty(t *testing.T) {
+	certFile := "testdata/empty.pem"
+	require.False(t, isValidCert(certFile), "The test with the empty pem file failed")
+}
+
+func TestIsValidCertKeyMissing(t *testing.T) {
+	certFile := "testdata/privatekeymissing.pem"
+	require.False(t, isValidCert(certFile), "The test with the missing private key failed")
+}
+
+func TestIsValidCertBroken(t *testing.T) {
+	certFile := "testdata/broken.pem"
+	require.False(t, isValidCert(certFile), "The test with the broken pem file failed")
+}
+
+// TODO: make this backend agnostic, currently only works with menshen https://0xacab.org/leap/bitmask-vpn/-/issues/825
+//func TestIsValidCertFromMenshenValid(t *testing.T) {
+//	// needs API_URL="http://localhost:8443" via env
+//	m, err := menshen.New()
+//	require.NoError(t, err, "Could not create menshen instance")
+//
+//	tmpFile, err := ioutil.TempFile(os.TempDir(), "leap-client-cert.pem")
+//	require.NoError(t, err, "Could not create tmp file for OpenVPN client credentials")
+//	defer os.Remove(tmpFile.Name())
+//
+//	cert, err := m.GetPemCertificate()
+//	require.NoError(t, err, "Could not get PEM certificate from menshen")
+//
+//	_, err = tmpFile.Write(cert)
+//	require.NoError(t, err, "Could not write to tmp OpenVPN client credentials file")
+//
+//	assert.True(t, isValidCert(tmpFile.Name()), "PEM file from Menshen is not a valid certificate")
+//}