diff --git a/tests/kdc/check-kdc.in b/tests/kdc/check-kdc.in
index fe2cdb64c..ccec2e159 100644
--- a/tests/kdc/check-kdc.in
+++ b/tests/kdc/check-kdc.in
@@ -281,17 +281,27 @@ if test "$pkinit" = yes -a "$rsa" = yes ; then
 		{ ec=1 ; eval "${testfailed}"; }
 	${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
 	${kdestroy}
+
 	echo "Trying pk-init (principal in pki-mapping) $type"; > messages.log
 	${kinit} $type -C FILE:${base}/pkinit.crt,${base}/pkinit.key foo@${R} || \
 		{ ec=1 ; eval "${testfailed}"; }
 	${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
 	${kdestroy}
+
 	echo "Trying pk-init (password protected key) $type"; > messages.log
 	${kinit} $type -C FILE:${base}/pkinit.crt,${base}/pkinit-pw.key --password-file=${objdir}/foopassword foo@${R} || \
 		{ ec=1 ; eval "${testfailed}"; }
 	${kgetcred} ${server}@${R} || \
 	{ ec=1 ; eval "${testfailed}"; }
 	${kdestroy}
+
+	echo "Trying pk-init (proxy cert) $type"; > messages.log
+	base="${srcdir}/../../lib/hx509/data"
+	${kinit} $type -C FILE:${base}/pkinit-proxy-chain.crt,${base}/pkinit-proxy.key foo@${R} || \
+		{ ec=1 ; eval "${testfailed}"; }
+	${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+	${kdestroy}
+
     done
 else
 	echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > messages.log