diff --git a/tests/postgres_test.go b/tests/postgres_test.go
index 5794ac607..582da87e9 100644
--- a/tests/postgres_test.go
+++ b/tests/postgres_test.go
@@ -251,9 +251,6 @@ func TestPostgresCustomerCAS(t *testing.T) {
 	if *postgresCustomerCASDomain == "" {
 		t.Fatal("'postgres_customer_cas_domain' not set")
 	}
-	if *postgresCustomerCASInvalidDomain == "" {
-		t.Fatal("'postgres_customer_cas_invalid_domain' not set")
-	}
 
 	defaultDSN := fmt.Sprintf("host=localhost user=%s password=%s database=%s sslmode=disable",
 		*postgresUser, *postgresCustomerCASPass, *postgresDB)
@@ -264,7 +261,7 @@ func TestPostgresCustomerCAS(t *testing.T) {
 		args []string
 	}{
 		{
-			desc: "using default usage",
+			desc: "using customer CAS default",
 			args: []string{*postgresCustomerCASConnName},
 			dsn:  defaultDSN,
 		},
@@ -281,6 +278,39 @@ func TestPostgresCustomerCAS(t *testing.T) {
 	}
 }
 
+func TestPostgresCustomerCASInvalidSAN(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping Postgres integration tests")
+	}
+	requirePostgresVars(t)
+	if *postgresCustomerCASPass == "" {
+		t.Fatal("'postgres_customer_cas_pass' not set")
+	}
+	if *postgresCustomerCASInvalidDomain == "" {
+		t.Fatal("'postgres_customer_cas_invalid_domain' not set")
+	}
+
+	defaultDSN := fmt.Sprintf("host=localhost user=%s password=%s database=%s sslmode=disable",
+		*postgresUser, *postgresCustomerCASPass, *postgresDB)
+
+	tcs := []struct {
+		desc string
+		dsn  string
+		args []string
+	}{
+		{
+			desc: "using invalid customer CAS domain (not in SAN)",
+			args: []string{*postgresCustomerCASInvalidDomain},
+			dsn:  defaultDSN,
+		},
+	}
+	for _, tc := range tcs {
+		t.Run(tc.desc, func(t *testing.T) {
+			proxyConnTest(t, tc.args, "pgx", tc.dsn)
+		})
+	}
+}
+
 func TestPostgresHealthCheck(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping Postgres integration tests")