diff --git a/tests/conftest.py b/tests/conftest.py
index b728a9f2..c800a088 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -164,6 +164,13 @@ def queue():
     atst_queue.get_queue().empty()
 
 
+@pytest.fixture
+def crl_failover_open_app(app):
+    app.config.update({"CRL_FAIL_OPEN": True})
+    yield app
+    app.config.update({"CRL_FAIL_OPEN": False})
+
+
 @pytest.fixture
 def rsa_key():
     def _rsa_key():
diff --git a/tests/domain/authnid/test_crl.py b/tests/domain/authnid/test_crl.py
index 34fc718c..9b98ed3d 100644
--- a/tests/domain/authnid/test_crl.py
+++ b/tests/domain/authnid/test_crl.py
@@ -132,7 +132,7 @@ def test_no_op_crl_cache_logs_common_name():
 
 
 def test_expired_crl_raises_CRLInvalidException_with_failover_config_false(
-    app, ca_file, expired_crl_file, ca_key, make_x509, rsa_key, monkeypatch
+    app, ca_file, expired_crl_file, ca_key, make_x509, rsa_key
 ):
     app.config.update({"CRL_FAIL_OPEN": False})
     client_cert = make_x509(rsa_key(), signer_key=ca_key, cn="chewbacca")
@@ -143,15 +143,13 @@ def test_expired_crl_raises_CRLInvalidException_with_failover_config_false(
 
 
 def test_expired_crl_passes_with_failover_config_true(
-    ca_file, expired_crl_file, ca_key, make_x509, rsa_key, monkeypatch, app
+    ca_file, expired_crl_file, ca_key, make_x509, rsa_key, crl_failover_open_app
 ):
-    app.config.update({"CRL_FAIL_OPEN": True})
     client_cert = make_x509(rsa_key(), signer_key=ca_key, cn="chewbacca")
     client_pem = client_cert.public_bytes(Encoding.PEM)
     crl_cache = CRLCache(ca_file, crl_locations=[expired_crl_file])
 
     assert crl_cache.crl_check(client_pem)
-    app.config.update({"CRL_FAIL_OPEN": False})
 
 
 def test_updates_expired_certs(