diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpX509Tests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpX509Tests.groovy
index 6deb100139..7e80ea20cc 100644
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpX509Tests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpX509Tests.groovy
@@ -13,7 +13,9 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.config.annotation.web.configurers;
+package org.springframework.security.config.annotation.web.configurers
+
+import sun.security.x509.X500Name
 
 import java.security.cert.CertificateFactory
 import java.security.cert.X509Certificate
@@ -162,6 +164,38 @@ public class NamespaceHttpX509Tests extends BaseSpringSpec {
 		}
 	}
 
+	def "http/x509@custom-principal-extractor"() {
+		setup:
+    		X509Certificate certificate = loadCert("rodatexampledotcom.cer")
+	    	loadConfig(CustomPrincipalExtractorConfig)
+		when:
+	    	request.setAttribute("javax.servlet.request.X509Certificate", [certificate] as X509Certificate[] )
+	    	springSecurityFilterChain.doFilter(request, response, chain)
+		then:
+	    	response.status == 200
+	    	authentication().name == 'rod@example.com'
+	}
+
+	@EnableWebSecurity
+	public static class CustomPrincipalExtractorConfig extends WebSecurityConfigurerAdapter {
+		@Override
+		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+			auth.
+					inMemoryAuthentication()
+					.withUser("rod@example.com").password("password").roles("USER","ADMIN");
+		}
+
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			http
+					.authorizeRequests()
+					.anyRequest().hasRole("USER")
+					.and()
+					.x509()
+					.x509PrincipalExtractor{ (it.subjectDN as X500Name).commonName }
+		}
+	}
+
 	def "http/x509@user-service-ref"() {
 		setup:
 			X509Certificate certificate = loadCert("rodatexampledotcom.cer")
diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/X509ConfigurerTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/X509ConfigurerTests.groovy
index a76e8dd72c..21ac025c07 100644
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/X509ConfigurerTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/X509ConfigurerTests.groovy
@@ -55,6 +55,6 @@ class X509ConfigurerTests extends BaseSpringSpec {
 					.and()
 				.x509()
 		then:
-			http.getConfigurer(X509Configurer).subjectPrincipalRegex == ".*"
+			http.getConfigurer(X509Configurer).x509PrincipalExtractor.subjectDnPattern.toString() == ".*"
 	}
 }