diff --git a/lib/hx509/test_ca.in b/lib/hx509/test_ca.in
index a83d5fb22..2d0ef8ac4 100644
--- a/lib/hx509/test_ca.in
+++ b/lib/hx509/test_ca.in
@@ -178,6 +178,15 @@ ${hxtool} issue-certificate \
 	  --subject="cn=ca2-cert" \
 	  --certificate="FILE:cert-ca.pem" || exit 1
 
+echo "issue sub-ca cert (generate rsa key)"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:cert-ca.pem \
+	  --issue-ca \
+ 	  --serial-number="deadbeaf22" \
+	  --generate-key=rsa \
+	  --subject="cn=sub-ca2-cert" \
+	  --certificate="FILE:cert-sub-ca.pem" || exit 1
+
 echo "issue ee cert (generate rsa key)"
 ${hxtool} issue-certificate \
 	  --ca-certificate=FILE:cert-ca.pem \
@@ -185,11 +194,24 @@ ${hxtool} issue-certificate \
 	  --subject="cn=cert-ee2" \
 	  --certificate="FILE:cert-ee.pem" || exit 1
 
-echo "verify certificate"
+echo "issue sub-ca ee cert (generate rsa key)"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:cert-ca.pem \
+	  --generate-key=rsa \
+	  --subject="cn=cert-sub-ee2" \
+	  --certificate="FILE:cert-sub-ee.pem" || exit 1
+
+echo "verify certificate (ee)"
 ${hxtool} verify --missing-revoke \
 	cert:FILE:cert-ee.pem \
 	anchor:FILE:cert-ca.pem > /dev/null || exit 1
 
+echo "verify certificate (sub-ee)"
+${hxtool} verify --missing-revoke \
+	cert:FILE:cert-sub-ee.pem \
+	chain:FILE:cert-sub-ca.pem \
+	anchor:FILE:cert-ca.pem > /dev/null || exit 1
+
 echo "sign CMS signature (generate key)"
 ${hxtool} cms-create-sd \
 	--certificate=FILE:cert-ee.pem \
@@ -218,4 +240,34 @@ ${hxtool} verify --missing-revoke \
 	cert:FILE:cert-ee.pem \
 	anchor:FILE:cert-ca.pem > /dev/null || exit 1
 
+echo "extend ca cert (template)"
+${hxtool} issue-certificate \
+	  --self-signed \
+	  --issue-ca \
+          --lifetime="3years" \
+	  --template-certificate="FILE:cert-ca.pem" \
+	  --template-fields="serialNumber,notBefore,subject" \
+	  --ca-private-key=FILE:cert-ca.pem \
+	  --certificate="FILE:cert-ca.pem" || exit 1
+
+echo "verify certificate generated by previous ca"
+${hxtool} verify --missing-revoke \
+	cert:FILE:cert-ee.pem \
+	anchor:FILE:cert-ca.pem > /dev/null || exit 1
+
+echo "extend sub-ca cert (template)"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:cert-ca.pem \
+	  --issue-ca \
+          --lifetime="2years" \
+	  --template-certificate="FILE:cert-sub-ca.pem" \
+	  --template-fields="serialNumber,notBefore,subject,SPKI" \
+	  --certificate="FILE:cert-sub-ca2.pem" || exit 1
+
+echo "verify certificate (sub-ee) with extended chain"
+${hxtool} verify --missing-revoke \
+	cert:FILE:cert-sub-ee.pem \
+	chain:FILE:cert-sub-ca.pem \
+	anchor:FILE:cert-ca.pem > /dev/null || exit 1
+
 exit 0