diff --git a/Makefile-test.am b/Makefile-test.am
index 5f2478aad..44bd795fb 100644
--- a/Makefile-test.am
+++ b/Makefile-test.am
@@ -404,6 +404,7 @@ FAPI_TESTS_INTEGRATION = \
     test/integration/fapi-policy-or-nv-read-write.fint \
     test/integration/fapi-second-provisioning.fint \
     test/integration/fapi-provisioning-error.fint \
+    test/integration/fapi-provisioning-cert-error.fint \
     test/integration/fapi-info.fint \
     test/integration/fapi-unseal.fint \
     test/integration/fapi-unseal-persistent.fint
@@ -2547,6 +2548,14 @@ test_integration_fapi_provisioning_error_fint_SOURCES = \
     test/integration/fapi-provisioning-error.int.c \
     test/integration/main-fapi.c test/integration/test-fapi.h
 
+test_integration_fapi_provisioning_cert_error_fint_CFLAGS  = $(TESTS_CFLAGS) \
+ -DSELF_SIGNED_CERTIFICATE
+test_integration_fapi_provisioning_cert_error_fint_LDADD   = $(TESTS_LDADD)
+test_integration_fapi_provisioning_cert_error_fint_LDFLAGS = $(TESTS_LDFLAGS)
+test_integration_fapi_provisioning_cert_error_fint_SOURCES = \
+    test/integration/fapi-provisioning-cert-error.int.c \
+    test/integration/main-fapi.c test/integration/test-fapi.h
+
 test_integration_fapi_quote_destructive_fint_CFLAGS  = $(TESTS_CFLAGS)
 test_integration_fapi_quote_destructive_fint_LDADD   = $(TESTS_LDADD)
 test_integration_fapi_quote_destructive_fint_LDFLAGS = $(TESTS_LDFLAGS)
diff --git a/script/ekca/create_ca.sh b/script/ekca/create_ca.sh
index 61d976a32..3a57ec07c 100755
--- a/script/ekca/create_ca.sh
+++ b/script/ekca/create_ca.sh
@@ -84,7 +84,7 @@ mkdir certreqs certs crl newcerts private
 touch intermed-ca.index
 echo 00 > intermed-ca.crlnum
 echo 2000 > intermed-ca.serial
-echo "abcdef" > pass.txt
+echo "123456" > pass.txt
 
 cp "${EKCADIR}/intermed-ca.cnf" ./
 export OPENSSL_CONF=./intermed-ca.cnf
diff --git a/script/ekca/init_ca.sh b/script/ekca/init_ca.sh
index 8d6ba197e..7dd757fc8 100755
--- a/script/ekca/init_ca.sh
+++ b/script/ekca/init_ca.sh
@@ -78,7 +78,7 @@ mkdir certreqs certs crl newcerts private
 touch intermed-ca.index
 echo 00 > intermed-ca.crlnum
 echo 2000 > intermed-ca.serial
-echo "abcdef" > pass.txt
+echo "123456" > pass.txt
 
 cp "${EKCADIR}/intermed-ca.cnf" ./
 export OPENSSL_CONF=./intermed-ca.cnf
diff --git a/src/tss2-fapi/api/Fapi_Provision.c b/src/tss2-fapi/api/Fapi_Provision.c
index b7a2bf06d..bcf25f06f 100644
--- a/src/tss2-fapi/api/Fapi_Provision.c
+++ b/src/tss2-fapi/api/Fapi_Provision.c
@@ -895,6 +895,12 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
 #pragma message ( "*** Allow self generated certifcate ***" )
             root_ca_file = getenv("FAPI_TEST_ROOT_CERT");
 
+            if (root_ca_file && strcasecmp(root_ca_file, "self") == 0) {
+                /* The self signed root ca file will as intermediate certificate. */
+                context->state = PROVISION_PREPARE_READ_INT_CERT;
+                return TSS2_FAPI_RC_TRY_AGAIN;
+            }
+
             if (!root_ca_file && ifapi_io_path_exists(FAPI_TEST_ROOT_CERT_FILE)) {
                 root_ca_file = FAPI_TEST_ROOT_CERT_FILE;
             }
diff --git a/test/integration/fapi-provisioning-cert-error.int.c b/test/integration/fapi-provisioning-cert-error.int.c
new file mode 100644
index 000000000..9e87b6779
--- /dev/null
+++ b/test/integration/fapi-provisioning-cert-error.int.c
@@ -0,0 +1,65 @@
+/* SPDX-License-Identifier: BSD-2-Clause */
+/*******************************************************************************
+ * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
+ * All rights reserved.
+ *******************************************************************************/
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdlib.h>
+
+#include "tss2_fapi.h"
+#include "tss2_esys.h"
+
+#include "test-fapi.h"
+#include "fapi_util.h"
+#include "fapi_int.h"
+#include "tss2_esys.h"
+
+#include "esys_iutil.h"
+#define LOGMODULE test
+#include "util/log.h"
+#include "util/aux_util.h"
+#include "tss2_mu.h"
+#include "fapi_int.h"
+
+
+/** Test the FAPI cleanup in an error case.
+ *
+ * Tested FAPI commands:
+ *  - Fapi_Provision()
+ *
+ * @param[in,out] context The FAPI_CONTEXT.
+ * @retval EXIT_FAILURE
+ * @retval EXIT_SUCCESS
+ */
+int
+test_fapi_test_provisioning_cert_error(FAPI_CONTEXT *context)
+{
+    TSS2_RC r;
+
+#ifndef SELF_SIGNED_CERTIFICATE
+    return EXIT_SKIP;
+#endif
+
+
+    setenv("FAPI_TEST_ROOT_CERT", "self", 1);
+    setenv("FAPI_TEST_INT_CERT",  "./ca/root-ca/root-ca.cert.pem", 1);
+
+    r = Fapi_Provision(context, NULL, NULL, NULL);
+
+    if (r == TSS2_FAPI_RC_GENERAL_FAILURE)
+        return EXIT_SUCCESS;
+
+    LOG_ERROR("Test with self signed certificate did not fail.");
+    return EXIT_FAILURE;
+
+}
+
+int
+test_invoke_fapi(FAPI_CONTEXT *fapi_context)
+{
+    return test_fapi_test_provisioning_cert_error(fapi_context);
+}
diff --git a/test/integration/main-fapi.c b/test/integration/main-fapi.c
index b8a3aedc2..b68f1e43c 100644
--- a/test/integration/main-fapi.c
+++ b/test/integration/main-fapi.c
@@ -856,7 +856,7 @@ get_ecc_ek_public(TSS2_SYS_CONTEXT *sys_context, EVP_PKEY **evp_pub)
 
 }
 
-char pwd[6] = "abcdef";
+char pwd[6] = "123456";
 
 int pass_cb(char *buf, int size, int rwflag, void *u)
 {
@@ -949,7 +949,7 @@ load_intermed_cert_and_key(const char *ca_key_path, EVP_PKEY **ca_key,
         unsigned long err = ERR_get_error();
         char err_buffer[256];
         ERR_error_string_n(err, err_buffer, sizeof(err_buffer));
-        LOG_ERROR("Failure in BIO_read_filename %s", err_buffer);
+        LOG_ERROR("Failure in BIO_read_filename \"%s\" %s", ca_cert_path, err_buffer);
         goto error_cleanup;
     }
     *ca_crt = PEM_read_bio_X509(bio, NULL, NULL, NULL);
@@ -965,7 +965,7 @@ load_intermed_cert_and_key(const char *ca_key_path, EVP_PKEY **ca_key,
         unsigned long err = ERR_get_error();
         char err_buffer[256];
         ERR_error_string_n(err, err_buffer, sizeof(err_buffer));
-        LOG_ERROR("Failure in BIO_read_filename %s", err_buffer);
+        LOG_ERROR("Failure in BIO_read_filename \"%s\" %s", ca_key_path, err_buffer);
         goto error_cleanup;
     }
     *ca_key = PEM_read_bio_PrivateKey(bio, NULL, pass_cb, NULL);
@@ -1264,11 +1264,24 @@ init_ek_certificates(TSS2_SYS_CONTEXT *sys_ctx)
         goto error_cleanup;
     }
 
-    rc = load_intermed_cert_and_key("ca/intermed-ca/private/intermed-ca.key.pem",
+#ifdef SELF_SIGNED_CERTIFICATE
+    /* The self signed root certificate will be used as intermediate
+       certificate. */
+    rc = load_intermed_cert_and_key("./ca/root-ca/private/root-ca.key.pem",
                                     &intermed_key,
-                                    "ca/intermed-ca/intermed-ca.cert.pem",
+                                    ./"ca/root-ca/root-ca.cert.pem",
                                     &intermed_cert);
-    if (rc != TSS2_RC_SUCCESS) {
+#else
+    system("pwd 1>&2");
+    system("ls -l  ./ca/intermed-ca/ 1>&2");
+    system("ls -l  ./ca/intermed-ca/private/ 1>&2")
+    rc = load_intermed_cert_and_key("./ca/intermed-ca/private/intermed-ca.key.pem",
+                                    &intermed_key,
+                                    "./ca/intermed-ca/intermed-ca.cert.pem",
+                                    &intermed_cert);
+#endif
+
+     if (rc != TSS2_RC_SUCCESS) {
         LOG_ERROR("Failed to load intermediate key and cert %s\n", Tss2_RC_Decode(rc));
         goto error_cleanup;
     }