diff --git a/test/units/testsuite-70.cryptsetup.sh b/test/units/testsuite-70.cryptsetup.sh
index 3501e8eeb3..4cd627fe1a 100755
--- a/test/units/testsuite-70.cryptsetup.sh
+++ b/test/units/testsuite-70.cryptsetup.sh
@@ -141,9 +141,12 @@ if tpm_has_pcr sha256 12; then
         cmp /tmp/srk.pub /run/systemd/tpm2-srk-public-key.tpm2b_public
     fi
 
-    PASSWORD=passphrase systemd-cryptenroll --tpm2-device-key=/tmp/srk.pub --tpm2-pcrs="12:sha256=$CURRENT_PCR_VALUE" "$IMAGE"
-    systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1
-    systemd-cryptsetup detach test-volume
+    # --tpm2-device-key= requires OpenSSL >= 3 with KDF-SS
+    if openssl_supports_kdf SSKDF; then
+        PASSWORD=passphrase systemd-cryptenroll --tpm2-device-key=/tmp/srk.pub --tpm2-pcrs="12:sha256=$CURRENT_PCR_VALUE" "$IMAGE"
+        systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1
+        systemd-cryptsetup detach test-volume
+    fi
 
     rm -f /tmp/pcr.dat /tmp/srk.pub
 fi
@@ -195,26 +198,29 @@ PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-seal-key-handl
 systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1
 systemd-cryptsetup detach test-volume
 
-# Make sure that --tpm2-device-key= also works with systemd-repart
-tpm2_readpublic -c 0x81000001 -o /tmp/srk.pub
-mkdir /tmp/dditest
-cat > /tmp/dditest/50-root.conf <<EOF
+# --tpm2-device-key= requires OpenSSL >= 3 with KDF-SS
+if openssl_supports_kdf SSKDF; then
+    # Make sure that --tpm2-device-key= also works with systemd-repart
+    tpm2_readpublic -c 0x81000001 -o /tmp/srk.pub
+    mkdir /tmp/dditest
+    cat > /tmp/dditest/50-root.conf <<EOF
 [Partition]
 Type=root
 Format=ext4
 CopyFiles=/tmp/dditest:/
 Encrypt=tpm2
 EOF
-PASSWORD=passphrase systemd-repart --tpm2-device-key=/tmp/srk.pub --definitions=/tmp/dditest --empty=create --size=50M /tmp/dditest.raw --tpm2-pcrs=
-DEVICE="$(systemd-dissect --attach /tmp/dditest.raw)"
-systemd-cryptsetup attach dditest "$DEVICE"p1 - tpm2-device=auto,headless=yes
-mkdir /tmp/dditest.mnt
-mount -t ext4 /dev/mapper/dditest /tmp/dditest.mnt
-cmp /tmp/dditest.mnt/50-root.conf /tmp/dditest/50-root.conf
-umount /tmp/dditest.mnt
-rmdir /tmp/dditest.mnt
-rm /tmp/dditest.raw
-rm /tmp/dditest/50-root.conf
-rmdir /tmp/dditest
+    PASSWORD=passphrase systemd-repart --tpm2-device-key=/tmp/srk.pub --definitions=/tmp/dditest --empty=create --size=50M /tmp/dditest.raw --tpm2-pcrs=
+    DEVICE="$(systemd-dissect --attach /tmp/dditest.raw)"
+    systemd-cryptsetup attach dditest "$DEVICE"p1 - tpm2-device=auto,headless=yes
+    mkdir /tmp/dditest.mnt
+    mount -t ext4 /dev/mapper/dditest /tmp/dditest.mnt
+    cmp /tmp/dditest.mnt/50-root.conf /tmp/dditest/50-root.conf
+    umount /tmp/dditest.mnt
+    rmdir /tmp/dditest.mnt
+    rm /tmp/dditest.raw
+    rm /tmp/dditest/50-root.conf
+    rmdir /tmp/dditest
+fi
 
 rm -f "$IMAGE" "$PRIMARY"
diff --git a/test/units/util.sh b/test/units/util.sh
index e47d32c2b3..fdfb91f8c6 100755
--- a/test/units/util.sh
+++ b/test/units/util.sh
@@ -189,3 +189,11 @@ tpm_has_pcr() {
 
     [[ -f "/sys/class/tpm/tpm0/pcr-$algorithm/$pcr" ]]
 }
+
+openssl_supports_kdf() {
+    local kdf="${1:?}"
+
+    # The arguments will need to be adjusted to make this work for other KDFs than SSKDF,
+    # but let's do that when/if the need arises
+    openssl kdf -keylen 16 -kdfopt digest:SHA2-256 -kdfopt key:foo -out /dev/null "$kdf"
+}