diff --git a/testing/hosts/winnetou/etc/ca/generate-crl b/testing/hosts/winnetou/etc/ca/generate-crl
index a59245d212..ab6558f987 100755
--- a/testing/hosts/winnetou/etc/ca/generate-crl
+++ b/testing/hosts/winnetou/etc/ca/generate-crl
@@ -82,6 +82,18 @@ do
   mv ${CERTS_DIR}/cert.der ${CERTS_DIR}/`sha1sum ${CERTS_DIR}/cert.der | head -c 40`
 done
 
+##
+# Levels CA and sub-CAs
+cd /etc/ca/levels
+
+# generate CRLs for Levels CA and sub-CAs
+pki --signcrl --cakey levelsKey.pem --cacert levelsCert.pem \
+    > ${ROOT}/levels.crl
+pki --signcrl --cakey levelsKey_l2.pem --cacert levelsCert_l2.pem \
+    > ${ROOT}/levels_l2.crl
+pki --signcrl --cakey levelsKey_l3.pem --cacert levelsCert_l3.pem \
+    > ${ROOT}/levels_l3.crl
+
 ##
 # strongSwan EC Root CA
 cd /etc/ca/ecdsa
diff --git a/testing/scripts/build-certs-chroot b/testing/scripts/build-certs-chroot
index 7d464c3681..714afdbd7a 100755
--- a/testing/scripts/build-certs-chroot
+++ b/testing/scripts/build-certs-chroot
@@ -44,6 +44,17 @@ SALES_CERT="${SALES_DIR}/salesCert.pem"
 SALES_CERT_DER="${SALES_DIR}/salesCert.der"
 SALES_CDP="http://crl.strongswan.org/sales.crl"
 #
+LEVELS_DIR="${CA_DIR}/levels"
+LEVELS_KEY="${LEVELS_DIR}/levelsKey.pem"
+LEVELS_CERT="${LEVELS_DIR}/levelsCert.pem"
+LEVELS_CDP="http://crl.strongswan.org/levels.crl"
+LEVELS_L2_KEY="${LEVELS_DIR}/levelsKey_l2.pem"
+LEVELS_L2_CERT="${LEVELS_DIR}/levelsCert_l2.pem"
+LEVELS_L2_CDP="http://crl.strongswan.org/levels_l2.crl"
+LEVELS_L3_KEY="${LEVELS_DIR}/levelsKey_l3.pem"
+LEVELS_L3_CERT="${LEVELS_DIR}/levelsCert_l3.pem"
+LEVELS_L3_CDP="http://crl.strongswan.org/levels_l3.crl"
+#
 DUCK_DIR="${CA_DIR}/duck"
 DUCK_KEY="${DUCK_DIR}/duckKey.pem"
 DUCK_CERT="${DUCK_DIR}/duckCert.pem"
@@ -94,6 +105,7 @@ mkdir -p ${RESEARCH_DIR}/certs
 mkdir -p ${RESEARCH_DIR}/keys
 mkdir -p ${SALES_DIR}/certs
 mkdir -p ${SALES_DIR}/keys
+mkdir -p ${LEVELS_DIR}/certs
 mkdir -p ${DUCK_DIR}/certs
 mkdir -p ${ECDSA_DIR}/certs
 mkdir -p ${RFC3779_DIR}/certs
@@ -159,7 +171,8 @@ done
 
 # Put DER-encoded moon private key and Root CA certificate into tkm scenarios
 for t in host2host-initiator host2host-responder host2host-xfrmproxy \
-         net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
+         multi-level-ca net2net-initiator net2net-xfrmproxy xfrmproxy-expire \
+         xfrmproxy-rekey
 do
   TEST="${TEST_DIR}/tkm/${t}"
   mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
@@ -579,6 +592,52 @@ done
 # Convert Sales CA certificate into DER format
 openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}
 
+################################################################################
+# Multi-level CA Certificate Generation                                        #
+################################################################################
+
+# Generate Levels Root CA (pathlen is higher than the regular root)
+pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_KEY}
+pki --self --type rsa --in ${LEVELS_KEY} --not-before "${START}" --not-after "${CA_END}" \
+    --ca --pathlen 2 --dn "C=CH, O=${PROJECT}, CN=strongSwan Levels Root CA" \
+    --outform pem > ${LEVELS_CERT}
+
+# For TKM's CA ID mapping
+LEVELS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${LEVELS_KEY}`
+
+# Generate Levels L2 CA signed by Levels Root CA
+pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_L2_KEY}
+pki --issue --cakey ${LEVELS_KEY} --cacert ${LEVELS_CERT} --crl ${LEVELS_CDP} \
+    --type rsa --in ${LEVELS_L2_KEY} --not-before "${START}" --not-after "${IM_END}" \
+    --ca --dn "C=CH, O=${PROJECT}, OU=L2, CN=Levels L2 CA" \
+    --outform pem > ${LEVELS_L2_CERT}
+
+# Generate Levels L3 CA signed by Levels L2 CA
+pki --gen  --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_L3_KEY}
+pki --issue --cakey ${LEVELS_L2_KEY} --cacert ${LEVELS_L2_CERT} --crl ${LEVELS_L2_CDP} \
+    --type rsa --in ${LEVELS_L3_KEY} --not-before "${START}" --not-after "${IM_END}" \
+    --ca --dn "C=CH, O=${PROJECT}, OU=L3, CN=Levels L3 CA" \
+    --outform pem > ${LEVELS_L3_CERT}
+
+for t in swanctl/multi-level-ca-l3 tkm/multi-level-ca
+do
+  TEST="${TEST_DIR}/${t}"
+  for h in moon carol
+  do
+    mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
+    cp ${LEVELS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
+  done
+  cp ${LEVELS_L2_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
+  cp ${LEVELS_L3_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
+done
+
+# Put DER-encoded Levels CA certificate into tkm scenario
+TEST="${TEST_DIR}/tkm/multi-level-ca"
+mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
+openssl x509 -in ${LEVELS_CERT} -outform der -out ${TEST}/hosts/moon/${TKM_DIR}/levelsCert.der
+
+################################################################################
+
 # Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
 TEST="${TEST_DIR}/ikev2/strong-keys-certs"
 TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"
@@ -1113,6 +1172,34 @@ cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
 cp ${SALES_DIR}/index.txt.template ${SALES_DIR}/index.txt
 sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
 
+################################################################################
+# Levels L3 CA                                                                 #
+################################################################################
+
+# Generate a carol l3 certificate
+TEST="${TEST_DIR}/swanctl/multi-level-ca-l3"
+TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
+CN="carol@strongswan.org"
+SERIAL="01"
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${LEVELS_L3_KEY} --cacert ${LEVELS_L3_CERT} --type rsa \
+    --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+    --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=L3, CN=${CN}" \
+    --crl ${LEVELS_L3_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${LEVELS_DIR}/certs/${SERIAL}.pem
+
+for t in tkm/multi-level-ca
+do
+  TEST="${TEST_DIR}/${t}"
+  mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+  mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+  cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+  cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+done
+
 ################################################################################
 # strongSwan EC Root CA                                                        #
 ################################################################################
@@ -1931,13 +2018,15 @@ done
 ################################################################################
 
 for t in host2host-initiator host2host-responder host2host-xfrmproxy \
-         net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
+         multi-level-ca net2net-initiator net2net-xfrmproxy xfrmproxy-expire \
+         xfrmproxy-rekey
 do
   for h in moon
   do
     TEST_DATA="${TEST_DIR}/tkm/${t}/hosts/moon/etc/strongswan.conf"
     sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
         -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
+        -e "s/LEVELS_SPK_HEX/${LEVELS_SPK_HEX}/g" \
         ${TEST_DATA}.in > ${TEST_DATA}
   done
 done
diff --git a/testing/tests/swanctl/multi-level-ca-l3/description.txt b/testing/tests/swanctl/multi-level-ca-l3/description.txt
new file mode 100644
index 0000000000..6ddfc371e9
--- /dev/null
+++ b/testing/tests/swanctl/multi-level-ca-l3/description.txt
@@ -0,0 +1,9 @@
+The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
+<b>venus</b> by means of two different PKIs. Access to <b>alice</b> is granted
+to users presenting a certificate issued by the Levels Root CA (or any of its
+intermediate CAs) whereas <b>venus</b> can only be reached with a certificate
+issued by the regular strongSwan Root CA.
+The roadwarriors <b>carol</b> and <b>dave</b> have certificates from the
+Levels CA (actually from an second level intermediate CA) and strongSwan CA,
+respectively. Therefore <b>carol</b> can access <b>alice</b> and <b>dave</b>
+can reach <b>venus</b>.
diff --git a/testing/tests/swanctl/multi-level-ca-l3/evaltest.dat b/testing/tests/swanctl/multi-level-ca-l3/evaltest.dat
new file mode 100644
index 0000000000..10898f6bca
--- /dev/null
+++ b/testing/tests/swanctl/multi-level-ca-l3/evaltest.dat
@@ -0,0 +1,21 @@
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*levels.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Levels Root CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*levels_l2.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Levels L2 CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*levels_l3.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Levels L3 CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::levels.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES
+carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*venus.*state=INSTALLED::NO
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO
+dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
+moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Levels Root CA::YES
+moon:: cat /var/log/daemon.log::selected peer config.*levels.*unacceptable::YES
+moon:: cat /var/log/daemon.log::switching to peer config.*rw::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO
+moon:: swanctl --list-sas --raw 2> /dev/null::levels.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=dave@strongswan.org.*child-sas.*alice.*state=INSTALLED::NO
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES
diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/multi-level-ca-l3/hosts/carol/etc/strongswan.conf
new file mode 100644
index 0000000000..f3b571a1b4
--- /dev/null
+++ b/testing/tests/swanctl/multi-level-ca-l3/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/multi-level-ca-l3/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 0000000000..857bc16eff
--- /dev/null
+++ b/testing/tests/swanctl/multi-level-ca-l3/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,30 @@
+connections {
+
+   home {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         cacerts = strongswanCert.pem
+         revocation = strict
+      }
+      children {
+         alice {
+            remote_ts = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+         venus {
+            remote_ts = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/multi-level-ca-l3/hosts/dave/etc/strongswan.conf
new file mode 100644
index 0000000000..f3b571a1b4
--- /dev/null
+++ b/testing/tests/swanctl/multi-level-ca-l3/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/multi-level-ca-l3/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 0000000000..eb52ea5c9e
--- /dev/null
+++ b/testing/tests/swanctl/multi-level-ca-l3/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,30 @@
+connections {
+
+   home {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         cacerts = strongswanCert.pem
+         revocation = strict
+      }
+      children {
+         alice {
+            remote_ts = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+         venus {
+            remote_ts = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/multi-level-ca-l3/hosts/moon/etc/strongswan.conf
new file mode 100644
index 0000000000..f3b571a1b4
--- /dev/null
+++ b/testing/tests/swanctl/multi-level-ca-l3/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
diff --git a/testing/tests/swanctl/multi-level-ca-l3/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/multi-level-ca-l3/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 0000000000..38145cfc50
--- /dev/null
+++ b/testing/tests/swanctl/multi-level-ca-l3/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,48 @@
+connections {
+
+   levels {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         cacerts = levelsCert.pem
+         revocation = ifuri
+      }
+      children {
+         alice {
+            local_ts  = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         cacerts = strongswanCert.pem
+         revocation = ifuri
+      }
+      children {
+         venus {
+            local_ts  = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/swanctl/multi-level-ca-l3/posttest.dat b/testing/tests/swanctl/multi-level-ca-l3/posttest.dat
new file mode 100644
index 0000000000..90f6e12732
--- /dev/null
+++ b/testing/tests/swanctl/multi-level-ca-l3/posttest.dat
@@ -0,0 +1,7 @@
+carol::swanctl --terminate --ike home 2> /dev/null
+dave::swanctl --terminate --ike home 2> /dev/null
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
+moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
diff --git a/testing/tests/swanctl/multi-level-ca-l3/pretest.dat b/testing/tests/swanctl/multi-level-ca-l3/pretest.dat
new file mode 100644
index 0000000000..456938cc47
--- /dev/null
+++ b/testing/tests/swanctl/multi-level-ca-l3/pretest.dat
@@ -0,0 +1,10 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection research
+carol::expect-connection alice
+carol::swanctl --initiate --child alice 2> /dev/null
+carol::swanctl --initiate --child venus 2> /dev/null
+dave::expect-connection alice
+dave::swanctl --initiate --child alice 2> /dev/null
+dave::swanctl --initiate --child venus 2> /dev/null
diff --git a/testing/tests/swanctl/multi-level-ca-l3/test.conf b/testing/tests/swanctl/multi-level-ca-l3/test.conf
new file mode 100644
index 0000000000..c295cf019c
--- /dev/null
+++ b/testing/tests/swanctl/multi-level-ca-l3/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tkm/.gitignore b/testing/tests/tkm/.gitignore
index 7fce40b548..86d75283bb 100644
--- a/testing/tests/tkm/.gitignore
+++ b/testing/tests/tkm/.gitignore
@@ -1,2 +1,3 @@
 *.der
+*.pem
 strongswan.conf
diff --git a/testing/tests/tkm/multi-level-ca/description.txt b/testing/tests/tkm/multi-level-ca/description.txt
new file mode 100644
index 0000000000..e9b9aa1922
--- /dev/null
+++ b/testing/tests/tkm/multi-level-ca/description.txt
@@ -0,0 +1,6 @@
+Two transport connections to gateway <b>moon</b> are set up, one from client
+<b>carol</b> and the other from client <b>dave</b>. The gateway <b>moon</b> uses
+the Trusted Key Manager (TKM) and is the responder for both connections. The
+authentication is based on X.509 certificates, where <b>carol</b> uses a
+certificate issued by a multi-level CA. In order to test the connections,
+both <b>carol</b> and <b>dave</b> ping gateway <b>moon</b>.
diff --git a/testing/tests/tkm/multi-level-ca/evaltest.dat b/testing/tests/tkm/multi-level-ca/evaltest.dat
new file mode 100644
index 0000000000..0c1794fd25
--- /dev/null
+++ b/testing/tests/tkm/multi-level-ca/evaltest.dat
@@ -0,0 +1,19 @@
+moon::  swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.100/32]::YES
+moon::  swanctl --list-sas --raw 2> /dev/null::conn2.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn2.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.200/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.100/32] remote-ts=\[192.168.0.1/32]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.200/32] remote-ts=\[192.168.0.1/32]::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES
+dave::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+dave::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.100 \]::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 2, 192.168.0.1 <-> 192.168.0.200 \]::YES
+moon::cat /tmp/tkm.log::Linked CC context 1 with CA certificate 2::YES
+moon::cat /tmp/tkm.log::Linked CC context 1 with CA certificate 1::YES
+moon::cat /tmp/tkm.log::Certificate chain of CC context 1 is valid::2
+moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+moon::cat /tmp/tkm.log::Authentication of ISA context 2 successful::YES
+moon::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.100, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
diff --git a/testing/tests/tkm/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tkm/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 0000000000..28cbb854b3
--- /dev/null
+++ b/testing/tests/tkm/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+  host-host {
+    local_addrs  = PH_IP_CAROL
+    remote_addrs = PH_IP_MOON
+
+    proposals = aes256-sha512-modp4096
+
+    local {
+      auth = pubkey
+      certs = carolCert.pem
+      id = carol@strongswan.org
+    }
+    remote {
+      auth = pubkey
+      id = moon.strongswan.org
+    }
+    children {
+      host-host {
+        mode = transport
+        esp_proposals = aes256-sha512-modp4096
+      }
+    }
+  }
+}
diff --git a/testing/tests/tkm/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tkm/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 0000000000..4e714128be
--- /dev/null
+++ b/testing/tests/tkm/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+  host-host {
+    local_addrs  = PH_IP_DAVE
+    remote_addrs = PH_IP_MOON
+
+    proposals = aes256-sha512-modp4096
+
+    local {
+      auth = pubkey
+      certs = daveCert.pem
+      id = dave@strongswan.org
+    }
+    remote {
+      auth = pubkey
+      id = moon.strongswan.org
+    }
+    children {
+      host-host {
+        mode = transport
+        esp_proposals = aes256-sha512-modp4096
+      }
+    }
+  }
+}
diff --git a/testing/tests/tkm/multi-level-ca/hosts/moon/etc/strongswan.conf.in b/testing/tests/tkm/multi-level-ca/hosts/moon/etc/strongswan.conf.in
new file mode 100644
index 0000000000..6cbb3ba582
--- /dev/null
+++ b/testing/tests/tkm/multi-level-ca/hosts/moon/etc/strongswan.conf.in
@@ -0,0 +1,21 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon-tkm {
+  dh_mapping {
+    15 = 1
+    16 = 2
+  }
+  ca_mapping {
+    strongswan_ca {
+      id = 1
+      fingerprint = CA_SPK_HEX
+    }
+    levels_ca {
+      id = 2
+      fingerprint = LEVELS_SPK_HEX
+    }
+  }
+  start-scripts {
+    swanctl = /usr/local/sbin/swanctl --load-all --noprompt
+  }
+}
diff --git a/testing/tests/tkm/multi-level-ca/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/multi-level-ca/hosts/moon/etc/tkm/tkm.conf
new file mode 100644
index 0000000000..209cd857ff
--- /dev/null
+++ b/testing/tests/tkm/multi-level-ca/hosts/moon/etc/tkm/tkm.conf
@@ -0,0 +1,36 @@
+<tkmconfig>
+    <local_identity id="1">
+        <identity>moon.strongswan.org</identity>
+        <certificate>moonCert.pem</certificate>
+    </local_identity>
+    <policy id="1">
+        <mode>transport</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.1</ip>
+        </local>
+        <remote>
+            <identity>carol@strongswan.org</identity>
+            <ip>192.168.0.100</ip>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+    <policy id="2">
+        <mode>transport</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.1</ip>
+        </local>
+        <remote>
+            <identity>dave@strongswan.org</identity>
+            <ip>192.168.0.200</ip>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+</tkmconfig>
diff --git a/testing/tests/tkm/multi-level-ca/posttest.dat b/testing/tests/tkm/multi-level-ca/posttest.dat
new file mode 100644
index 0000000000..7064a5d48d
--- /dev/null
+++ b/testing/tests/tkm/multi-level-ca/posttest.dat
@@ -0,0 +1,7 @@
+moon::service charon-tkm stop
+moon::killall tkm_keymanager
+moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::rm /etc/swanctl/x509ca/*
+carol::rm /etc/swanctl/x509ca/*
diff --git a/testing/tests/tkm/multi-level-ca/pretest.dat b/testing/tests/tkm/multi-level-ca/pretest.dat
new file mode 100644
index 0000000000..8e748323a1
--- /dev/null
+++ b/testing/tests/tkm/multi-level-ca/pretest.dat
@@ -0,0 +1,14 @@
+moon::rm /etc/swanctl/rsa/*
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/swanctl/swanctl.conf
+moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1,/etc/tkm/levelsCert.der:2 >/tmp/tkm.log 2>&1 &
+moon::expect-file /tmp/tkm.rpc.ike
+moon::service charon-tkm start
+carol::systemctl start strongswan
+carol::expect-connection host-host
+dave::systemctl start strongswan
+dave::expect-connection host-host
+moon::expect-connection conn1
+moon::expect-connection conn2
+carol::swanctl --initiate --child host-host 2> /dev/null
+dave::swanctl --initiate --child host-host 2> /dev/null
diff --git a/testing/tests/tkm/multi-level-ca/test.conf b/testing/tests/tkm/multi-level-ca/test.conf
new file mode 100644
index 0000000000..6e3b942186
--- /dev/null
+++ b/testing/tests/tkm/multi-level-ca/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="carol dave moon winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="carol dave"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="carol dave moon"
+
+# charon controlled by swanctl
+#
+SWANCTL=1