diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 96f014287..eea263201 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -425,6 +425,8 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
  * \param cn       The expected Common Name. This may be \c NULL if the
  *                 CN need not be verified.
  * \param flags    The address at which to store the result of the verification.
+ *                 If the verification couldn't be completed, the flag value is
+ *                 set to (uint32_t) -1.
  * \param f_vrfy   The verification callback to use. See the documentation
  *                 of mbedtls_x509_crt_verify() for more information.
  * \param p_vrfy   The context to be passed to \p f_vrfy.
@@ -464,6 +466,8 @@ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
  * \param cn       The expected Common Name. This may be \c NULL if the
  *                 CN need not be verified.
  * \param flags    The address at which to store the result of the verification.
+ *                 If the verification couldn't be completed, the flag value is
+ *                 set to (uint32_t) -1.
  * \param f_vrfy   The verification callback to use. See the documentation
  *                 of mbedtls_x509_crt_verify() for more information.
  * \param p_vrfy   The context to be passed to \p f_vrfy.
@@ -500,6 +504,8 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
  * \param cn       The expected Common Name. This may be \c NULL if the
  *                 CN need not be verified.
  * \param flags    The address at which to store the result of the verification.
+ *                 If the verification couldn't be completed, the flag value is
+ *                 set to (uint32_t) -1.
  * \param f_vrfy   The verification callback to use. See the documentation
  *                 of mbedtls_x509_crt_verify() for more information.
  * \param p_vrfy   The context to be passed to \p f_vrfy.
@@ -568,6 +574,8 @@ typedef int (*mbedtls_x509_crt_ca_cb_t)( void *p_ctx,
  * \param cn       The expected Common Name. This may be \c NULL if the
  *                 CN need not be verified.
  * \param flags    The address at which to store the result of the verification.
+ *                 If the verification couldn't be completed, the flag value is
+ *                 set to (uint32_t) -1.
  * \param f_vrfy   The verification callback to use. See the documentation
  *                 of mbedtls_x509_crt_verify() for more information.
  * \param p_vrfy   The context to be passed to \p f_vrfy.
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index cd6e292eb..b11ab849a 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -482,6 +482,7 @@ void x509_verify_ca_cb_failure( char *crt_file, char *ca_file, char *name,
                                               NULL, NULL );
 
     TEST_ASSERT( ret == exp_ret );
+    TEST_ASSERT( flags == (uint32_t)( -1 ) );
 exit:
     mbedtls_x509_crt_free( &crt );
     mbedtls_x509_crt_free( &ca );