diff --git a/lib/hx509/test_ca.in b/lib/hx509/test_ca.in
index 2e19d3ca2..b4889f4b2 100644
--- a/lib/hx509/test_ca.in
+++ b/lib/hx509/test_ca.in
@@ -154,16 +154,17 @@ echo "issue ca cert (generate rsa key)"
 ${hxtool} issue-certificate \
 	  --self-signed \
 	  --issue-ca \
+ 	  --serial-number="deadbeaf" \
 	  --generate-key=rsa \
-	  --key="ca2-key.der" \
+	  --out-key="ca2-key.der" \
 	  --subject="cn=ca2-cert" \
 	  --certificate="cert-ca.der" || exit 1
 
-echo "issue ca cert (generate rsa key)"
+echo "issue ee cert (generate rsa key)"
 ${hxtool} issue-certificate \
 	  --ca-certificate=FILE:cert-ca.der,ca2-key.der \
 	  --generate-key=rsa \
-	  --key="ee2-key.der" \
+	  --out-key="ee2-key.der" \
 	  --subject="cn=cert-ee2" \
 	  --certificate="cert-ee.der" || exit 1
 
@@ -185,6 +186,23 @@ ${hxtool} cms-verify-sd \
 	sd.data sd.data.out > /dev/null || exit 1
 cmp "$srcdir/test_name.c" sd.data.out || exit 1
 
+openssl x509 -in cert-ca.der -inform der -text > diff1
+echo "extend ca cert"
+${hxtool} issue-certificate \
+	  --self-signed \
+	  --issue-ca \
+          --lifetime="2years" \
+ 	  --serial-number="deadbeaf" \
+	  --ca-private-key=ca2-key.der \
+	  --subject="cn=ca2-cert" \
+	  --certificate="cert-ca.der" || exit 1
+openssl x509 -in cert-ca.der -inform der -text > diff2
+
+echo "verify certificate generated by previous ca"
+${hxtool} verify --missing-revoke \
+	cert:FILE:cert-ee.der \
+	anchor:FILE:cert-ca.der > /dev/null || exit 1
+
 
 
 exit 0