diff --git a/src/ssl_certman.c b/src/ssl_certman.c
index 149b1bd56..4c0eafa8b 100644
--- a/src/ssl_certman.c
+++ b/src/ssl_certman.c
@@ -575,6 +575,19 @@ void wolfSSL_CertManagerSetVerify(WOLFSSL_CERT_MANAGER* cm, VerifyCallback vc)
 }
 #endif /* NO_WOLFSSL_CM_VERIFY */
 
+#if defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ASN_TEMPLATE) \
+    && defined(HAVE_OID_DECODING)
+void wolfSSL_CertManagerSetUnknownExtCallback(WOLFSSL_CERT_MANAGER* cm,
+        wc_UnknownExtCallback cb)
+{
+    WOLFSSL_ENTER("wolfSSL_CertManagerSetUnknownExtCallback");
+    if (cm != NULL) {
+        cm->unknownExtCallback = cb;
+    }
+
+}
+#endif /* WOLFSSL_CUSTOM_OID && WOLFSSL_ASN_TEMPLATE && HAVE_OID_DECODING */
+
 #if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
 /* Verify the certificate.
  *
@@ -643,6 +656,12 @@ int CM_VerifyBuffer_ex(WOLFSSL_CERT_MANAGER* cm, const unsigned char* buff,
         /* Create a decoded certificate with DER buffer. */
         InitDecodedCert(cert, buff, (word32)sz, cm->heap);
 
+#if defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ASN_TEMPLATE) \
+    && defined(HAVE_OID_DECODING)
+        if (cm->unknownExtCallback != NULL)
+            wc_SetUnknownExtCallback(cert, cm->unknownExtCallback);
+#endif
+
         /* Parse DER into decoded certificate fields and verify signature
          * against a known CA. */
         ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, cm);
diff --git a/tests/api.c b/tests/api.c
index 991cfb228..d5d710ef2 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -1084,6 +1084,21 @@ static int do_dual_alg_tls13_connection(byte *caCert, word32 caCertSz,
     return EXPECT_RESULT();
 }
 
+static int extCount = 0;
+static int myUnknownExtCallback(const word16* oid, word32 oidSz, int crit,
+                                const unsigned char* der, word32 derSz)
+{
+   (void) oid;
+   (void) oidSz;
+   (void) crit;
+   (void) der;
+   (void) derSz;
+   extCount ++;
+   /* Accept all extensions. This is only a test. Normally we would be much more
+    * careful about critical extensions. */
+   return 1;
+}
+
 static int test_dual_alg_support(void)
 {
     EXPECT_DECLS;
@@ -1099,6 +1114,7 @@ static int test_dual_alg_support(void)
     int rootSz = 0;
     byte *server = NULL;
     int serverSz = 0;
+    WOLFSSL_CERT_MANAGER* cm = NULL;
 
     ExpectIntEQ(load_file(keyFile, &serverKey, &serverKeySz), 0);
 
@@ -1130,6 +1146,20 @@ static int test_dual_alg_support(void)
     ExpectIntEQ(do_dual_alg_tls13_connection(root, rootSz,
                 server, serverSz, serverKey, (word32)serverKeySz, 1),
                 TEST_SUCCESS);
+
+    /* Lets see if CertManager can find the new extensions */
+    extCount = 0;
+    ExpectNotNull(cm = wolfSSL_CertManagerNew());
+    wolfSSL_CertManagerSetUnknownExtCallback(cm, myUnknownExtCallback);
+    ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, root, rootSz,
+                SSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
+    ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, server, serverSz,
+                SSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
+    /* There is only 1 unknown exension (1.2.3.4.5). The other ones are known
+     * because they are for the dual alg extensions. */
+    ExpectIntEQ(extCount, 1);
+    wolfSSL_CertManagerFree(cm);
+
     XFREE(root, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(server, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index 572114e52..ca3f80d83 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -2629,10 +2629,13 @@ struct WOLFSSL_CERT_MANAGER {
 #endif
     wolfSSL_Ref     ref;
 #ifdef HAVE_PQC
-    short           minFalconKeySz;      /* minimum allowed Falcon key size */
-    short           minDilithiumKeySz;   /* minimum allowed Dilithium key size */
+    short           minFalconKeySz;     /* minimum allowed Falcon key size */
+    short           minDilithiumKeySz;  /* minimum allowed Dilithium key size */
+#endif
+#if defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ASN_TEMPLATE) \
+    && defined(HAVE_OID_DECODING)
+    wc_UnknownExtCallback unknownExtCallback;
 #endif
-
 };
 
 WOLFSSL_LOCAL int CM_SaveCertCache(WOLFSSL_CERT_MANAGER* cm,
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index b760e27a2..4e86b0da4 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -1536,7 +1536,8 @@ WOLFSSL_API int wolfSSL_sk_push_node(WOLFSSL_STACK** stack, WOLFSSL_STACK* in);
 WOLFSSL_API WOLFSSL_STACK* wolfSSL_sk_get_node(WOLFSSL_STACK* sk, int idx);
 WOLFSSL_API int wolfSSL_sk_push(WOLFSSL_STACK *st, const void *data);
 
-#if defined(HAVE_OCSP) || defined(HAVE_CRL)
+#if defined(HAVE_OCSP) || defined(HAVE_CRL) || (defined(WOLFSSL_CUSTOM_OID) && \
+    defined(WOLFSSL_ASN_TEMPLATE) && defined(HAVE_OID_DECODING))
 #include "wolfssl/wolfcrypt/asn.h"
 #endif
 
@@ -3594,6 +3595,13 @@ WOLFSSL_API void wolfSSL_CTX_SetPerformTlsRecordProcessingCb(WOLFSSL_CTX* ctx,
     WOLFSSL_API void wolfSSL_CertManagerFree(WOLFSSL_CERT_MANAGER* cm);
     WOLFSSL_API int wolfSSL_CertManager_up_ref(WOLFSSL_CERT_MANAGER* cm);
 
+#if defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ASN_TEMPLATE) \
+    && defined(HAVE_OID_DECODING)
+    WOLFSSL_API void wolfSSL_CertManagerSetUnknownExtCallback(
+        WOLFSSL_CERT_MANAGER* cm,
+        wc_UnknownExtCallback cb);
+#endif
+
     WOLFSSL_API int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm,
         const char* f, const char* d);
     WOLFSSL_API int wolfSSL_CertManagerLoadCABuffer_ex(WOLFSSL_CERT_MANAGER* cm,
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index e60d684a3..02bd06c27 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -348,6 +348,9 @@
 
 #undef OPENSSL_EXTRA
 #define OPENSSL_EXTRA
+
+#undef HAVE_OID_DECODING
+#define HAVE_OID_DECODING
 #endif /* WOLFSSL_DUAL_ALG_CERTS */
 
 /* ---------------------------------------------------------------------------