diff --git a/test/chronoscope/nts/key_establishment_client_test.exs b/test/chronoscope/nts/key_establishment_client_test.exs
index bb1a220..180c9c9 100644
--- a/test/chronoscope/nts/key_establishment_client_test.exs
+++ b/test/chronoscope/nts/key_establishment_client_test.exs
@@ -1,8 +1,9 @@
 defmodule Chronoscope.NTS.KeyEstablishmentClientTest do
   use Chronoscope.Case
 
-  alias Chronoscope.NTS.SSLMock
+  alias Chronoscope.NTS.Certificate
   alias Chronoscope.NTS.KeyEstablishmentRequest
+  alias Chronoscope.NTS.SSLMock
 
   import Chronoscope.NTS.KeyEstablishmentClient
   import Mox
@@ -24,18 +25,6 @@ defmodule Chronoscope.NTS.KeyEstablishmentClientTest do
   end
 
   describe "Chronoscope.NTS.KeyEstablishmentClient.key_establishment()" do
-    test "handles an empty response" do
-      request = KeyEstablishmentRequest.create()
-
-      SSLMock
-      |> expect(:connect, fn ~c"localhost", 2222, _tls_options, @timeout -> {:ok, :socket} end)
-      |> expect(:send, fn :socket, ^request -> send_ssl_response([]) end)
-      |> expect(:peercert, fn :socket -> {:ok, peercert()} end)
-      |> expect(:close, fn :socket -> :ok end)
-
-      assert {:ok, %{cert_expiration: _expiration}} = key_establishment(%{host: "localhost", port: 2222})
-    end
-
     test "sends the correct TLS options" do
       SSLMock
       |> expect(:connect, fn ~c"localhost", 2222, tls_options, @timeout ->
@@ -49,8 +38,24 @@ defmodule Chronoscope.NTS.KeyEstablishmentClientTest do
       key_establishment(%{host: "localhost", port: 2222})
     end
 
+    test "handles an empty response" do
+      request = KeyEstablishmentRequest.create()
+      peercert = peercert()
+      peercert_expiration = Certificate.expiration_date(peercert)
+
+      SSLMock
+      |> expect(:connect, fn ~c"localhost", 2222, _tls_options, @timeout -> {:ok, :socket} end)
+      |> expect(:send, fn :socket, ^request -> send_ssl_response([]) end)
+      |> expect(:peercert, fn :socket -> {:ok, peercert} end)
+      |> expect(:close, fn :socket -> :ok end)
+
+      assert {:ok, %{cert_expiration: ^peercert_expiration}} = key_establishment(%{host: "localhost", port: 2222})
+    end
+
     test "handles a full response" do
       request = KeyEstablishmentRequest.create()
+      peercert = peercert()
+      peercert_expiration = Certificate.expiration_date(peercert)
 
       response =
         [0x80, 0x01, 0x00, 0x02, 0x00, 0x00] ++
@@ -64,12 +69,12 @@ defmodule Chronoscope.NTS.KeyEstablishmentClientTest do
       SSLMock
       |> expect(:connect, fn ~c"localhost", 2222, _tls_options, @timeout -> {:ok, :socket} end)
       |> expect(:send, fn :socket, ^request -> send_ssl_response(response) end)
-      |> expect(:peercert, fn :socket -> {:ok, peercert()} end)
+      |> expect(:peercert, fn :socket -> {:ok, peercert} end)
       |> expect(:close, fn :socket -> :ok end)
 
       assert {:ok,
               %{
-                cert_expiration: _expiration,
+                cert_expiration: ^peercert_expiration,
                 aead_algorithms: ["AEAD_AES_SIV_CMAC_256", "UNKNOWN", "AEAD_AES_128_GCM_SIV"],
                 cookie_length: 1,
                 cookies: [~c"c"],