diff --git a/categories.txt b/categories.txt
index 5bea61b6bc..3a8910967f 100644
--- a/categories.txt
+++ b/categories.txt
@@ -1,4 +1,12 @@
-categories:
+# Try First
+
+missing socket.on('data') event when data received after socket.end():
+- test-tls-net-socket-keepalive.js
+
+connect() callback never called when invalid pfx provided:
+- test-tls-invalid-pfx.js
+
+# More
 
 - bun gets error ECONNREFUSED but node gets write EPROTO & allows process exit: test-tls-junk-server
 - different cipher list, support --tls-cipher-list: test-tls-cipher-list
@@ -11,7 +19,6 @@ categories:
 - checkServerIdentity called with 'undefined' for 'cert', throws: test-tls-empty-sni-context.js
 - ServerHandlers handshake() doesn't disconect for non-ECONNRESEET error? test-tls-hello-parser-failure.js
 - takes 18s in bun but 300ms in node: test-gc-tls-external-memory.js
-- missing socket.on('data') event when data received after socket.end(): test-tls-net-socket-keepalive.js
 
 createSecurePair not implemented:
 These tests are removed in new node versions:
diff --git a/test/js/node/test/parallel/test-tls-invalid-pfx.js b/test/js/node/test/parallel/test-tls-invalid-pfx.js
new file mode 100644
index 0000000000..c16858f0f7
--- /dev/null
+++ b/test/js/node/test/parallel/test-tls-invalid-pfx.js
@@ -0,0 +1,23 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+const fixtures = require('../common/fixtures');
+
+const {
+  assert, connect, keys
+} = require(fixtures.path('tls-connect'));
+
+const invalidPfx = fixtures.readKey('cert-without-key.pfx');
+
+connect({
+  client: {
+    pfx: invalidPfx,
+    passphrase: 'test',
+    rejectUnauthorized: false
+  },
+  server: keys.agent1
+}, common.mustCall((e, pair, cleanup) => {
+  assert.strictEqual(e.message, 'Unable to load private key from PFX data');
+  cleanup();
+}));