diff --git a/nomad/vault_test.go b/nomad/vault_test.go
index 4b8abdd9e..cc50b02a1 100644
--- a/nomad/vault_test.go
+++ b/nomad/vault_test.go
@@ -1,6 +1,7 @@
 package nomad
 
 import (
+	"encoding/json"
 	"log"
 	"os"
 	"strings"
@@ -9,6 +10,7 @@ import (
 
 	"github.com/hashicorp/nomad/nomad/structs/config"
 	"github.com/hashicorp/nomad/testutil"
+	vapi "github.com/hashicorp/vault/api"
 )
 
 func TestVaultClient_BadConfig(t *testing.T) {
@@ -50,6 +52,7 @@ func TestVaultClient_EstablishConnection(t *testing.T) {
 	if err != nil {
 		t.Fatalf("failed to build vault client: %v", err)
 	}
+	defer client.Stop()
 
 	// Sleep a little while and check that no connection has been established.
 	time.Sleep(100 * time.Duration(testutil.TestMultiplier()) * time.Millisecond)
@@ -78,4 +81,73 @@ func TestVaultClient_RenewalLoop(t *testing.T) {
 	v := testutil.NewTestVault(t).Start()
 	defer v.Stop()
 
+	// Build a role
+	l := v.Client.Logical()
+	d := make(map[string]interface{}, 2)
+	d["allowed_policies"] = "default"
+	d["period"] = 5
+	l.Write("auth/token/roles/test", d)
+
+	// Create a new token with the role
+	a := v.Client.Auth().Token()
+	req := vapi.TokenCreateRequest{}
+	s, err := a.CreateWithRole(&req, "test")
+	if err != nil {
+		t.Fatalf("failed to create child token: %v", err)
+	}
+
+	// Get the client token
+	if s == nil || s.Auth == nil {
+		t.Fatalf("bad secret response: %+v", s)
+	}
+
+	// Set the configs token
+	v.Config.Token = s.Auth.ClientToken
+
+	// Start the client
+	logger := log.New(os.Stderr, "", log.LstdFlags)
+	client, err := NewVaultClient(v.Config, logger)
+	if err != nil {
+		t.Fatalf("failed to build vault client: %v", err)
+	}
+	defer client.Stop()
+
+	// Sleep 8 seconds and ensure we have a non-zero TTL
+	time.Sleep(8 * time.Second)
+
+	// Get the current TTL
+	s2, err := a.Lookup(v.Config.Token)
+	if err != nil {
+		t.Fatalf("failed to lookup token: %v", err)
+	}
+
+	ttl := parseTTLFromLookup(s2, t)
+	if ttl == 0 {
+		t.Fatalf("token renewal failed; ttl %v", ttl)
+	}
+}
+
+func parseTTLFromLookup(s *vapi.Secret, t *testing.T) int64 {
+	if s == nil {
+		t.Fatalf("nil secret")
+	} else if s.Data == nil {
+		t.Fatalf("nil data block in secret")
+	}
+
+	ttlRaw, ok := s.Data["ttl"]
+	if !ok {
+		t.Fatalf("no ttl")
+	}
+
+	ttlNumber, ok := ttlRaw.(json.Number)
+	if !ok {
+		t.Fatalf("failed to convert ttl %q to json Number", ttlRaw)
+	}
+
+	ttl, err := ttlNumber.Int64()
+	if err != nil {
+		t.Fatalf("Failed to get ttl from json.Number: %v", err)
+	}
+
+	return ttl
 }
diff --git a/testutil/vault.go b/testutil/vault.go
index 1899c87ea..bb560cecd 100644
--- a/testutil/vault.go
+++ b/testutil/vault.go
@@ -59,7 +59,7 @@ func NewTestVault(t *testing.T) *TestVault {
 	if err != nil {
 		t.Fatalf("failed to build Vault API client: %v", err)
 	}
-	client.SetToken(root)
+	client.SetToken(token)
 
 	tv := &TestVault{
 		cmd:       cmd,
@@ -91,6 +91,10 @@ func (tv *TestVault) Start() *TestVault {
 
 // Stop stops the test Vault server
 func (tv *TestVault) Stop() {
+	if tv.cmd.Process == nil {
+		return
+	}
+
 	if err := tv.cmd.Process.Kill(); err != nil {
 		tv.t.Errorf("err: %s", err)
 	}