diff --git a/msp/msp_test.go b/msp/msp_test.go
index bb891ae333f..ae16f885251 100644
--- a/msp/msp_test.go
+++ b/msp/msp_test.go
@@ -23,6 +23,8 @@ import (
 
 	"fmt"
 
+	"path/filepath"
+
 	"github.com/golang/protobuf/proto"
 	"github.com/hyperledger/fabric/bccsp"
 	"github.com/hyperledger/fabric/core/config"
@@ -118,6 +120,20 @@ func TestSerializeIdentities(t *testing.T) {
 	}
 }
 
+func TestValidateCAIdentity(t *testing.T) {
+	caID := getIdentity(t, cacerts)
+
+	err := localMsp.Validate(caID)
+	assert.Error(t, err)
+}
+
+func TestValidateAdminIdentity(t *testing.T) {
+	caID := getIdentity(t, admincerts)
+
+	err := localMsp.Validate(caID)
+	assert.NoError(t, err)
+}
+
 func TestSerializeIdentitiesWithWrongMSP(t *testing.T) {
 	id, err := localMsp.GetDefaultSigningIdentity()
 	if err != nil {
@@ -497,3 +513,16 @@ func TestMain(m *testing.M) {
 	retVal := m.Run()
 	os.Exit(retVal)
 }
+
+func getIdentity(t *testing.T, path string) Identity {
+	mspDir, err := config.GetDevMspDir()
+	assert.NoError(t, err)
+
+	pems, err := getPemMaterialFromDir(filepath.Join(mspDir, path))
+	assert.NoError(t, err)
+
+	id, _, err := localMsp.(*bccspmsp).getIdentityFromConf(pems[0])
+	assert.NoError(t, err)
+
+	return id
+}
diff --git a/msp/mspwithintermediatecas_test.go b/msp/mspwithintermediatecas_test.go
index ed4b6ad0985..119bffd6f6f 100644
--- a/msp/mspwithintermediatecas_test.go
+++ b/msp/mspwithintermediatecas_test.go
@@ -134,3 +134,35 @@ func TestMSPWithIntermediateCAs(t *testing.T) {
 	err = thisMSP.Validate(localMSPID.GetPublicVersion())
 	assert.Error(t, err)
 }
+
+func TestIntermediateCAIdentityValidity(t *testing.T) {
+	keyinfo := &msp.KeyInfo{KeyIdentifier: "PEER", KeyMaterial: []byte(key)}
+
+	sigid := &msp.SigningIdentityInfo{PublicSigner: []byte(signcert), PrivateSigner: keyinfo}
+
+	cryptoConfig := &msp.FabricCryptoConfig{
+		SignatureHashFamily:            bccsp.SHA2,
+		IdentityIdentifierHashFunction: bccsp.SHA256,
+	}
+
+	fmspconf := &msp.FabricMSPConfig{
+		RootCerts:         [][]byte{[]byte(cacert)},
+		IntermediateCerts: [][]byte{[]byte(intermediatecert)},
+		SigningIdentity:   sigid,
+		Name:              "DEFAULT",
+		CryptoConfig:      cryptoConfig}
+
+	fmpsjs, _ := proto.Marshal(fmspconf)
+
+	mspconf := &msp.MSPConfig{Config: fmpsjs, Type: int32(FABRIC)}
+
+	thisMSP, err := NewBccspMsp()
+	assert.NoError(t, err)
+
+	err = thisMSP.Setup(mspconf)
+	assert.NoError(t, err)
+
+	id, _, err := thisMSP.(*bccspmsp).getIdentityFromConf([]byte(intermediatecert))
+	assert.NoError(t, err)
+	assert.Error(t, id.Validate())
+}