diff --git a/tests/PKCS8/Tests.hs b/tests/PKCS8/Tests.hs
index 3ae9cdf..911466d 100644
--- a/tests/PKCS8/Tests.hs
+++ b/tests/PKCS8/Tests.hs
@@ -13,8 +13,10 @@ import Test.Tasty.QuickCheck
 import Util
 import PKCS8.Instances ()
 
-keyTests :: String -> TestTree
-keyTests prefix =
+data KeyTestType = InnerOuter | OnlyOuter
+
+keyTests :: KeyTestType -> String -> TestTree
+keyTests InnerOuter prefix =
     testGroup "PrivateKey"
         [ testCase "read outer" $ do
               kOuter <- readKeyFile fOuter
@@ -43,6 +45,19 @@ keyTests prefix =
   where
     fInner = testFile (prefix ++ "-unencrypted-trad.pem")
     fOuter = testFile (prefix ++ "-unencrypted-pkcs8.pem")
+keyTests OnlyOuter prefix =
+    testGroup "PrivateKey"
+        [ testCase "read" $ do
+              kOuter <- readKeyFile fOuter
+              length kOuter @?= 1
+        , testCase "write" $ do
+              bs <- B.readFile fOuter
+              let kOuter = readKeyFileFromMemory bs
+                  [Unprotected kO] = kOuter
+              writeKeyFileToMemory PKCS8Format [kO] @?= bs
+        ]
+  where
+    fOuter = testFile (prefix ++ "-unencrypted-pkcs8.pem")
 
 encryptedKeyTests :: String -> TestTree
 encryptedKeyTests prefix =
@@ -72,10 +87,10 @@ encryptedKeyTests prefix =
                            in all (\(Protected getKey) -> getKey pwd == Right key) kE
                 ]
 
-testType :: TestName -> String -> TestTree
-testType name prefix =
+testType :: TestName -> KeyTestType -> String -> TestTree
+testType name ty prefix =
     testGroup name
-        [ keyTests prefix
+        [ keyTests ty prefix
         , encryptedKeyTests prefix
         ]
 
@@ -93,13 +108,13 @@ propertyTests = localOption (QuickCheckMaxSize 5) $ testGroup "properties"
 pkcs8Tests :: TestTree
 pkcs8Tests =
     testGroup "PKCS8"
-        [ testType "RSA"                        "rsa"
-        , testType "DSA"                        "dsa"
-        , testType "EC (named curve)"           "ecdsa-p256"
-        , testType "EC (explicit prime curve)"  "ecdsa-epc"
-        , testType "X25519"                     "x25519"
-        , testType "X448"                       "x448"
-        , testType "Ed25519"                    "ed25519"
-        , testType "Ed448"                      "ed448"
+        [ testType "RSA"                        InnerOuter  "rsa"
+        , testType "DSA"                        InnerOuter  "dsa"
+        , testType "EC (named curve)"           InnerOuter  "ecdsa-p256"
+        , testType "EC (explicit prime curve)"  InnerOuter  "ecdsa-epc"
+        , testType "X25519"                     OnlyOuter   "x25519"
+        , testType "X448"                       OnlyOuter   "x448"
+        , testType "Ed25519"                    OnlyOuter   "ed25519"
+        , testType "Ed448"                      OnlyOuter   "ed448"
         , propertyTests
         ]
diff --git a/tests/files/ed25519-unencrypted-trad.pem b/tests/files/ed25519-unencrypted-trad.pem
deleted file mode 100644
index 056d8cd..0000000
--- a/tests/files/ed25519-unencrypted-trad.pem
+++ /dev/null
@@ -1,3 +0,0 @@
------BEGIN ED25519 PRIVATE KEY-----
-MC4CAQAwBQYDK2VwBCIEIOrKOPQUqxCUeZnZKJi5EmoEjxnDSSGp45U/t1evy/3v
------END ED25519 PRIVATE KEY-----
diff --git a/tests/files/ed448-unencrypted-trad.pem b/tests/files/ed448-unencrypted-trad.pem
deleted file mode 100644
index 96a1447..0000000
--- a/tests/files/ed448-unencrypted-trad.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN ED448 PRIVATE KEY-----
-MEcCAQAwBQYDK2VxBDsEOceJ7Mc21YZq6/qusCHA5d3wARXuJxMKSRkvsyD4GEKq
-hlubDZL0FQiS3OgjbeuKN+63xa+OVVz9XA==
------END ED448 PRIVATE KEY-----
diff --git a/tests/files/generate.sh b/tests/files/generate.sh
index 6182471..ac89520 100755
--- a/tests/files/generate.sh
+++ b/tests/files/generate.sh
@@ -62,6 +62,8 @@ fi
 
 "$OPENSSL" version || exit $?
 
+PROVIDERS="-provider default -provider legacy"
+
 function der_to_pem () {
   echo "-----BEGIN $1-----"
   "$OPENSSL" base64 -e
@@ -82,7 +84,8 @@ function encrypt() {
                   PBE-SHA1-RC2-128 \
                   PBE-SHA1-RC2-40; do
       "$OPENSSL" pkcs8 -topk8 -in "$DEST_DIR"/"$TYPE"-unencrypted-pkcs8.pem \
-        -v1 $cipher -passout pass:"$PASSWORD"
+        -v1 $cipher -passout pass:"$PASSWORD" \
+        $PROVIDERS
     done
   ) > "$DEST_DIR"/"$TYPE"-encrypted-pbes1.pem
 
@@ -90,7 +93,8 @@ function encrypt() {
   (
     for cipher in des des3 cast camellia128 rc2 rc2-40-cbc rc2-64-cbc; do
       "$OPENSSL" pkcs8 -topk8 -in "$DEST_DIR"/"$TYPE"-unencrypted-pkcs8.pem \
-        -v2 $cipher -passout pass:"$PASSWORD"
+        -v2 $cipher -passout pass:"$PASSWORD" \
+        $PROVIDERS
     done
   ) > "$DEST_DIR"/"$TYPE"-encrypted-pbkdf2.pem
 
@@ -109,7 +113,7 @@ function encrypt() {
 "$OPENSSL" genpkey -algorithm RSA -out "$DEST_DIR"/rsa-unencrypted-pkcs8.pem
 
 "$OPENSSL" rsa -in "$DEST_DIR"/rsa-unencrypted-pkcs8.pem \
-  -out "$DEST_DIR"/rsa-unencrypted-trad.pem
+  -traditional -out "$DEST_DIR"/rsa-unencrypted-trad.pem
 
 encrypt rsa
 
@@ -157,9 +161,6 @@ encrypt ecdsa-epc
 "$OPENSSL" genpkey -algorithm x25519 \
   -out "$DEST_DIR"/x25519-unencrypted-pkcs8.pem
 
-"$OPENSSL" pkey -in "$DEST_DIR"/x25519-unencrypted-pkcs8.pem \
-  -traditional -out "$DEST_DIR"/x25519-unencrypted-trad.pem
-
 encrypt x25519
 
 
@@ -168,9 +169,6 @@ encrypt x25519
 "$OPENSSL" genpkey -algorithm x448 \
   -out "$DEST_DIR"/x448-unencrypted-pkcs8.pem
 
-"$OPENSSL" pkey -in "$DEST_DIR"/x448-unencrypted-pkcs8.pem \
-  -traditional -out "$DEST_DIR"/x448-unencrypted-trad.pem
-
 encrypt x448
 
 
@@ -179,9 +177,6 @@ encrypt x448
 "$OPENSSL" genpkey -algorithm ed25519 \
   -out "$DEST_DIR"/ed25519-unencrypted-pkcs8.pem
 
-"$OPENSSL" pkey -in "$DEST_DIR"/ed25519-unencrypted-pkcs8.pem \
-  -traditional -out "$DEST_DIR"/ed25519-unencrypted-trad.pem
-
 encrypt ed25519
 
 
@@ -190,9 +185,6 @@ encrypt ed25519
 "$OPENSSL" genpkey -algorithm ed448 \
   -out "$DEST_DIR"/ed448-unencrypted-pkcs8.pem
 
-"$OPENSSL" pkey -in "$DEST_DIR"/ed448-unencrypted-pkcs8.pem \
-  -traditional -out "$DEST_DIR"/ed448-unencrypted-trad.pem
-
 encrypt ed448
 
 
@@ -251,6 +243,7 @@ for TYPE in rsa ed25519; do
       -inkey "$DEST_DIR"/"$TYPE"-unencrypted-pkcs8.pem \
       -in "$DEST_DIR"/"$TYPE"-self-signed-cert.pem \
       -name "PKCS12 ($TYPE) -certpbe $certpbe" -certpbe $certpbe \
+      $PROVIDERS \
       | der_to_pem PKCS12
     done
 
@@ -259,6 +252,7 @@ for TYPE in rsa ed25519; do
       -inkey "$DEST_DIR"/"$TYPE"-unencrypted-pkcs8.pem \
       -in "$DEST_DIR"/"$TYPE"-self-signed-cert.pem \
       -name "PKCS12 ($TYPE) -keypbe $keypbe" -keypbe $keypbe \
+      $PROVIDERS \
       | der_to_pem PKCS12
     done
   ) > "$DEST_DIR"/"$TYPE"-pkcs12.pem
@@ -283,7 +277,7 @@ echo "$MESSAGE" | "$OPENSSL" cms -data_create \
 
   for MODE in pss; do
     echo "$MESSAGE" | "$OPENSSL" cms -sign -outform PEM \
-      -stream -indef -md sha256 \
+      -nodetach -md sha256 \
       -inkey "$DEST_DIR"/rsa-unencrypted-pkcs8.pem \
       -signer "$DEST_DIR"/rsa-self-signed-cert.pem \
       -keyopt rsa_padding_mode:"$MODE"
@@ -320,14 +314,16 @@ echo "$MESSAGE" | "$OPENSSL" cms -data_create \
     for TYPE in rsa; do
       echo "$MESSAGE" | "$OPENSSL" cms -encrypt -outform PEM \
         -stream -indef $cipher \
-        -recip "$DEST_DIR"/"$TYPE"-self-signed-cert.pem
+        -recip "$DEST_DIR"/"$TYPE"-self-signed-cert.pem \
+        $PROVIDERS
     done
 
     for MODE in oaep; do
       echo "$MESSAGE" | "$OPENSSL" cms -encrypt -outform PEM \
         -stream -indef $cipher \
         -recip "$DEST_DIR"/rsa-self-signed-cert.pem \
-        -keyopt rsa_padding_mode:"$MODE"
+        -keyopt rsa_padding_mode:"$MODE" \
+        $PROVIDERS
     done
   done
 ) > "$DEST_DIR"/cms-enveloped-ktri-data.pem
@@ -344,7 +340,8 @@ echo "$MESSAGE" | "$OPENSSL" cms -data_create \
         echo "$MESSAGE" | "$OPENSSL" cms -encrypt -outform PEM \
           -stream -indef $cipher \
           -recip "$DEST_DIR"/"$TYPE"-self-signed-cert.pem \
-          -keyopt ecdh_kdf_md:"$MD" -keyopt ecdh_cofactor_mode:0
+          -keyopt ecdh_kdf_md:"$MD" -keyopt ecdh_cofactor_mode:0 \
+          $PROVIDERS
       done
     done
   done
@@ -359,7 +356,8 @@ echo "$MESSAGE" | "$OPENSSL" cms -data_create \
     key=`expr "$cipher_key" : '[^:]*:\([^:]*\)'`
 
     echo "$MESSAGE" | "$OPENSSL" cms -encrypt -outform PEM \
-      -stream -indef $cipher -secretkey $key -secretkeyid 30
+      -stream -indef $cipher -secretkey $key -secretkeyid 30 \
+      $PROVIDERS
   done
 ) > "$DEST_DIR"/cms-enveloped-kekri-data.pem
 
@@ -372,7 +370,8 @@ echo "$MESSAGE" | "$OPENSSL" cms -data_create \
     key=`expr "$cipher_key" : '[^:]*:\([^:]*\)'`
 
     echo "$MESSAGE" | "$OPENSSL" cms -encrypt -outform PEM \
-      -stream -indef $cipher -pwri_password "$PASSWORD"
+      -stream -indef $cipher -pwri_password "$PASSWORD" \
+      $PROVIDERS
   done
 ) > "$DEST_DIR"/cms-enveloped-pwri-data.pem
 
@@ -395,6 +394,7 @@ echo "$MESSAGE" | "$OPENSSL" cms -data_create \
     key=`expr "$cipher_key" : '[^:]*:\([^:]*\)'`
 
     echo "$MESSAGE" | "$OPENSSL" cms -EncryptedData_encrypt -outform PEM \
-      -stream -indef $cipher -secretkey $key
+      -stream -indef $cipher -secretkey $key \
+      $PROVIDERS
   done
 ) > "$DEST_DIR"/cms-encrypted-data.pem
diff --git a/tests/files/x25519-unencrypted-trad.pem b/tests/files/x25519-unencrypted-trad.pem
deleted file mode 100644
index 63c9372..0000000
--- a/tests/files/x25519-unencrypted-trad.pem
+++ /dev/null
@@ -1,3 +0,0 @@
------BEGIN X25519 PRIVATE KEY-----
-MC4CAQAwBQYDK2VuBCIEIIhgx84XP3vLVdFwZWT88BG/gGRXl6YYUeo0lWX2E8RY
------END X25519 PRIVATE KEY-----
diff --git a/tests/files/x448-unencrypted-trad.pem b/tests/files/x448-unencrypted-trad.pem
deleted file mode 100644
index 17dd602..0000000
--- a/tests/files/x448-unencrypted-trad.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN X448 PRIVATE KEY-----
-MEYCAQAwBQYDK2VvBDoEOOC8GlnbqcOSJ+ISHV8HJTD3WGdC1sQdZ+0Gkx7sUvL0
-Bm0KxY3cO9Rg9MQb3qkfVngRes0sb86Q
------END X448 PRIVATE KEY-----