diff --git a/lib/modules/Standards.pmod/X509.pmod b/lib/modules/Standards.pmod/X509.pmod
index 330d77347ff0d31bb86538caa3fa2a67a6993b36..6731e30c99800aaf529fd3c918741b48afe108d3 100644
--- a/lib/modules/Standards.pmod/X509.pmod
+++ b/lib/modules/Standards.pmod/X509.pmod
@@ -292,6 +292,12 @@ class TBSCertificate
 {
   inherit Sequence;
 
+  void _decode(array(int|array(Object)) x)
+  {
+    ::_decode(x);
+    init(this);
+  }
+
   protected string internal_der;
 
   //!
@@ -759,17 +765,15 @@ class TBSCertificate
   //! Object. Returns the object on success, otherwise @expr{0@}. You
   //! probably want to call @[decode_certificate] or even
   //! @[verify_certificate].
-  this_program init(array(Object)|Object asn1)
+  this_program init(array|Object asn1)
   {
-    array(Object) a;
-    if (objectp(asn1)) {
-      if (asn1->type_name != "SEQUENCE")
-	return 0;
+    if (!objectp(asn1))
+      return 0;
 
-      a = ([object(Sequence)]asn1)->elements;
-    } else {
-      a = [array(Object)]asn1;
-    }
+    if (asn1->type_name != "SEQUENCE")
+      return 0;
+
+    array(Object) a = ([object(Sequence)]asn1)->elements;
     DBG("TBSCertificate: sizeof(a) = %d\n", sizeof(a));
       
     if (sizeof(a) < 6)
diff --git a/lib/modules/Standards.pmod/testsuite.in b/lib/modules/Standards.pmod/testsuite.in
index b6350d5530d53f3fdb5d9b135475ee1142b003ae..a8ee4fd1726588b87db043a6c50434352aae8535 100644
--- a/lib/modules/Standards.pmod/testsuite.in
+++ b/lib/modules/Standards.pmod/testsuite.in
@@ -437,6 +437,16 @@ test_true(mappingp(Standards.X509.load_authorities()))
 
 define(test_cert, ([[
   test_true(Standards.X509.verify_certificate(Standards.PEM.Messages(#"$1")->parts->CERTIFICATE->body, ([])))
+  test_any([[
+    string der = Standards.PEM.Messages(#"$1")->parts->CERTIFICATE->body;
+    object o = decode_value(encode_value(Standards.X509.decode_certificate(der)));
+    /* TBS does not contain the full certificate... */
+    /* if( o->get_der() != der ) return -1; */
+
+    if( o->ext_basicConstraints != 1) return 2;
+    if( !o->public_key->pkc ) return 3;
+    return 1;
+  ]], 1)
 ]]))
 
 dnl openssl req -x509 -nodes -days 365 -subj "/CN=PikeCert" -md5 -newkey rsa:2048 -out certfile.cer