diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 43133d9..64564ab 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -2204,7 +2204,9 @@
             ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) {
             mbedtls_printf(" failed\n  ! mbedtls_ssl_handshake returned -0x%x\n",
                            (unsigned int) -ret);
-            if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) {
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+            if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
+                ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE) {
                 mbedtls_printf(
                     "    Unable to verify the server's certificate. "
                     "Either it is invalid,\n"
@@ -2215,7 +2217,13 @@
                     "not using TLS 1.3.\n"
                     "    For TLS 1.3 server, try `ca_path=/etc/ssl/certs/`"
                     "or other folder that has root certificates\n");
+
+                flags = mbedtls_ssl_get_verify_result(&ssl);
+                char vrfy_buf[512];
+                x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), "  ! ", flags);
+                mbedtls_printf("%s\n", vrfy_buf);
             }
+#endif
             mbedtls_printf("\n");
             goto exit;
         }
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index a5d2ed1..0f871f7 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -3504,7 +3504,8 @@
                        (unsigned int) -ret);
 
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
-        if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) {
+        if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
+            ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE) {
             char vrfy_buf[512];
             flags = mbedtls_ssl_get_verify_result(&ssl);
 
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 895d8fc..6956805 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -7736,7 +7736,7 @@
             -c "Processing of the Certificate handshake message failed" \
             -C "Ciphersuite is TLS-" \
             -c "send alert level=2 message=43" \
-            -C "! Usage does not match the keyUsage extension"
+            -c "! Usage does not match the keyUsage extension"
             # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
 
 run_test    "keyUsage cli 1.2: KeyEncipherment, DHE-RSA: fail, soft" \
@@ -7771,7 +7771,7 @@
             -c "Processing of the Certificate handshake message failed" \
             -C "Ciphersuite is TLS-" \
             -c "send alert level=2 message=43" \
-            -C "! Usage does not match the keyUsage extension"
+            -c "! Usage does not match the keyUsage extension"
             # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
 
 run_test    "keyUsage cli 1.2: DigitalSignature, RSA: fail, soft" \
@@ -7822,7 +7822,7 @@
             -c "Processing of the Certificate handshake message failed" \
             -C "Ciphersuite is" \
             -c "send alert level=2 message=43" \
-            -C "! Usage does not match the keyUsage extension"
+            -c "! Usage does not match the keyUsage extension"
             # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
 
 requires_openssl_tls1_3_with_compatible_ephemeral
@@ -7837,7 +7837,7 @@
             -c "Processing of the Certificate handshake message failed" \
             -C "Ciphersuite is" \
             -c "send alert level=2 message=43" \
-            -C "! Usage does not match the keyUsage extension"
+            -c "! Usage does not match the keyUsage extension"
             # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
 
 requires_openssl_tls1_3_with_compatible_ephemeral
@@ -7864,7 +7864,7 @@
             -c "Processing of the Certificate handshake message failed" \
             -C "Ciphersuite is" \
             -c "send alert level=2 message=43" \
-            -C "! Usage does not match the keyUsage extension"
+            -c "! Usage does not match the keyUsage extension"
             # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
 
 requires_openssl_tls1_3_with_compatible_ephemeral
@@ -7879,7 +7879,7 @@
             -c "Processing of the Certificate handshake message failed" \
             -C "Ciphersuite is" \
             -c "send alert level=2 message=43" \
-            -C "! Usage does not match the keyUsage extension"
+            -c "! Usage does not match the keyUsage extension"
             # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
 
 # Tests for keyUsage in leaf certificates, part 3:
@@ -7916,6 +7916,7 @@
             1 \
             -s "bad certificate (usage extensions)" \
             -s "send alert level=2 message=43" \
+            -s "! Usage does not match the keyUsage extension" \
             -s "Processing of the Certificate handshake message failed"
             # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
 
@@ -7948,6 +7949,7 @@
             1 \
             -s "bad certificate (usage extensions)" \
             -s "send alert level=2 message=43" \
+            -s "! Usage does not match the keyUsage extension" \
             -s "Processing of the Certificate handshake message failed"
             # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
 
@@ -7999,6 +8001,7 @@
             -s "bad certificate (usage extensions)" \
             -s "Processing of the Certificate handshake message failed" \
             -s "send alert level=2 message=43" \
+            -s "! Usage does not match the keyUsage extension" \
             -s "! mbedtls_ssl_handshake returned"
             # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
             #
@@ -8040,6 +8043,7 @@
             -s "bad certificate (usage extensions)" \
             -s "Processing of the Certificate handshake message failed" \
             -s "send alert level=2 message=43" \
+            -s "! Usage does not match the keyUsage extension" \
             -s "! mbedtls_ssl_handshake returned"
             # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
             #