diff --git a/.cirrus.yml b/.cirrus.yml
index 91297e69a..2b638f8a2 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -28,6 +28,9 @@ task:
     - cd libusb && ./bootstrap.sh && ./configure && gmake -j install
     - cd - && rm -fr libusb
   script:
+    #
+    # Due to a race condition that only occurs in the cirrus ci, "make distcheck" has been replaced by "make check".
+    #
     ./bootstrap &&
     ./configure --enable-self-generated-certificate --enable-unit=yes --enable-integration=yes --with-crypto=ossl --disable-doxygen-doc --enable-tcti-swtpm=no --enable-tcti-libtpms=no --enable-tcti-mssim=yes --disable-dependency-tracking &&
-    gmake -j distcheck || { cat /tmp/cirrus-ci-build/tpm2-tss-*/_build/sub/test-suite.log; exit 1; }
+    gmake -j check || { cat /tmp/cirrus-ci-build/tpm2-tss-*/_build/sub/test-suite.log; exit 1; }
diff --git a/Makefile-test.am b/Makefile-test.am
index 5f2478aad..44bd795fb 100644
--- a/Makefile-test.am
+++ b/Makefile-test.am
@@ -404,6 +404,7 @@ FAPI_TESTS_INTEGRATION = \
     test/integration/fapi-policy-or-nv-read-write.fint \
     test/integration/fapi-second-provisioning.fint \
     test/integration/fapi-provisioning-error.fint \
+    test/integration/fapi-provisioning-cert-error.fint \
     test/integration/fapi-info.fint \
     test/integration/fapi-unseal.fint \
     test/integration/fapi-unseal-persistent.fint
@@ -2547,6 +2548,14 @@ test_integration_fapi_provisioning_error_fint_SOURCES = \
     test/integration/fapi-provisioning-error.int.c \
     test/integration/main-fapi.c test/integration/test-fapi.h
 
+test_integration_fapi_provisioning_cert_error_fint_CFLAGS  = $(TESTS_CFLAGS) \
+ -DSELF_SIGNED_CERTIFICATE
+test_integration_fapi_provisioning_cert_error_fint_LDADD   = $(TESTS_LDADD)
+test_integration_fapi_provisioning_cert_error_fint_LDFLAGS = $(TESTS_LDFLAGS)
+test_integration_fapi_provisioning_cert_error_fint_SOURCES = \
+    test/integration/fapi-provisioning-cert-error.int.c \
+    test/integration/main-fapi.c test/integration/test-fapi.h
+
 test_integration_fapi_quote_destructive_fint_CFLAGS  = $(TESTS_CFLAGS)
 test_integration_fapi_quote_destructive_fint_LDADD   = $(TESTS_LDADD)
 test_integration_fapi_quote_destructive_fint_LDFLAGS = $(TESTS_LDFLAGS)
diff --git a/Makefile.am b/Makefile.am
index af0d83347..2327266f1 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -55,9 +55,16 @@ GITIGNOREFILES = ""
 if AUTOCONF_CODE_COVERAGE_2019_01_06
 include $(top_srcdir)/aminclude_static.am
 clean-local: code-coverage-clean
+	-rm -r -f $(top_builddir)/ca
 distclean-local: code-coverage-dist-clean
+	-rm -r -f $(top_builddir)/ca
 else
 @CODE_COVERAGE_RULES@
+clean-local:
+	-rm -r -f $(top_builddir)/ca
+distclean-local:
+	-rm -r -f $(top_builddir)/ca
+
 endif
 GITIGNOREFILES += $(TSS_GITIGNOREFILES)
 CODE_COVERAGE_DIRECTORY = $(top_builddir)/src $(top_builddir)/test
@@ -990,15 +997,11 @@ install-data-hook: install-dirs
 	fi
 
 uninstall-local:
-	-rm -r -f $(top_builddir)/ca
 	-rm $(DESTDIR)$(udevrulesdir)/$(udevrulesprefix)tpm-udev.rules
 	cd $(DESTDIR)$(man3dir) && \
 		[ -L Tss2_TctiLdr_Initialize_Ex.3 ] && \
 			rm -f Tss2_TctiLdr_Initialize_Ex.3 || true
 
-clean-hook:
-	-rm -r -f $(top_builddir)/ca
-
 prepare-check:
 if INIT_CA
 	$(top_srcdir)/script/ekca/init_ca.sh $(top_builddir)
@@ -1037,7 +1040,10 @@ EXTRA_DIST += \
 
 CLEANFILES += \
     $(man3_MANS) \
-    $(man7_MANS)
+    $(man7_MANS) \
+    $(top_builddir)/ca
+
+DISTCLEANFILES += $(top_builddir)/ca
 
 # function to transform man .in files to man pages
 # $1: target
diff --git a/script/ekca/create_ca.sh b/script/ekca/create_ca.sh
index 61d976a32..3a57ec07c 100755
--- a/script/ekca/create_ca.sh
+++ b/script/ekca/create_ca.sh
@@ -84,7 +84,7 @@ mkdir certreqs certs crl newcerts private
 touch intermed-ca.index
 echo 00 > intermed-ca.crlnum
 echo 2000 > intermed-ca.serial
-echo "abcdef" > pass.txt
+echo "123456" > pass.txt
 
 cp "${EKCADIR}/intermed-ca.cnf" ./
 export OPENSSL_CONF=./intermed-ca.cnf
diff --git a/script/ekca/init_ca.sh b/script/ekca/init_ca.sh
index 8d6ba197e..fd1864089 100755
--- a/script/ekca/init_ca.sh
+++ b/script/ekca/init_ca.sh
@@ -25,6 +25,7 @@ if test -e $CA_DIR; then
     exit
 fi
 mkdir -p $CA_DIR
+echo "CA build in \"$CA_DIR\" realpath: \"$(realpath $CA_DIR)\"" 1>&2
 
 pushd "$CA_DIR"
 
@@ -78,7 +79,7 @@ mkdir certreqs certs crl newcerts private
 touch intermed-ca.index
 echo 00 > intermed-ca.crlnum
 echo 2000 > intermed-ca.serial
-echo "abcdef" > pass.txt
+echo "123456" > pass.txt
 
 cp "${EKCADIR}/intermed-ca.cnf" ./
 export OPENSSL_CONF=./intermed-ca.cnf
@@ -128,3 +129,4 @@ openssl ca -gencrl  -cert ../root-ca/certs/intermed-ca.cert.pem \
 openssl crl -in intermed-ca.crl.pem -outform DER -out intermed-ca.crl
 
 popd #intermed-ca
+sync
diff --git a/src/tss2-fapi/api/Fapi_Provision.c b/src/tss2-fapi/api/Fapi_Provision.c
index b7a2bf06d..4a44eaab1 100644
--- a/src/tss2-fapi/api/Fapi_Provision.c
+++ b/src/tss2-fapi/api/Fapi_Provision.c
@@ -895,6 +895,12 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
 #pragma message ( "*** Allow self generated certifcate ***" )
             root_ca_file = getenv("FAPI_TEST_ROOT_CERT");
 
+            if (root_ca_file && strcasecmp(root_ca_file, "self") == 0) {
+                /* The self signed root cert will be used as intermediate certificate. */
+                context->state = PROVISION_PREPARE_READ_INT_CERT;
+                return TSS2_FAPI_RC_TRY_AGAIN;
+            }
+
             if (!root_ca_file && ifapi_io_path_exists(FAPI_TEST_ROOT_CERT_FILE)) {
                 root_ca_file = FAPI_TEST_ROOT_CERT_FILE;
             }
diff --git a/test/integration/fapi-provisioning-cert-error.int.c b/test/integration/fapi-provisioning-cert-error.int.c
new file mode 100644
index 000000000..9e87b6779
--- /dev/null
+++ b/test/integration/fapi-provisioning-cert-error.int.c
@@ -0,0 +1,65 @@
+/* SPDX-License-Identifier: BSD-2-Clause */
+/*******************************************************************************
+ * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
+ * All rights reserved.
+ *******************************************************************************/
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdlib.h>
+
+#include "tss2_fapi.h"
+#include "tss2_esys.h"
+
+#include "test-fapi.h"
+#include "fapi_util.h"
+#include "fapi_int.h"
+#include "tss2_esys.h"
+
+#include "esys_iutil.h"
+#define LOGMODULE test
+#include "util/log.h"
+#include "util/aux_util.h"
+#include "tss2_mu.h"
+#include "fapi_int.h"
+
+
+/** Test the FAPI cleanup in an error case.
+ *
+ * Tested FAPI commands:
+ *  - Fapi_Provision()
+ *
+ * @param[in,out] context The FAPI_CONTEXT.
+ * @retval EXIT_FAILURE
+ * @retval EXIT_SUCCESS
+ */
+int
+test_fapi_test_provisioning_cert_error(FAPI_CONTEXT *context)
+{
+    TSS2_RC r;
+
+#ifndef SELF_SIGNED_CERTIFICATE
+    return EXIT_SKIP;
+#endif
+
+
+    setenv("FAPI_TEST_ROOT_CERT", "self", 1);
+    setenv("FAPI_TEST_INT_CERT",  "./ca/root-ca/root-ca.cert.pem", 1);
+
+    r = Fapi_Provision(context, NULL, NULL, NULL);
+
+    if (r == TSS2_FAPI_RC_GENERAL_FAILURE)
+        return EXIT_SUCCESS;
+
+    LOG_ERROR("Test with self signed certificate did not fail.");
+    return EXIT_FAILURE;
+
+}
+
+int
+test_invoke_fapi(FAPI_CONTEXT *fapi_context)
+{
+    return test_fapi_test_provisioning_cert_error(fapi_context);
+}
diff --git a/test/integration/main-fapi.c b/test/integration/main-fapi.c
index b8a3aedc2..a0926f631 100644
--- a/test/integration/main-fapi.c
+++ b/test/integration/main-fapi.c
@@ -856,7 +856,7 @@ get_ecc_ek_public(TSS2_SYS_CONTEXT *sys_context, EVP_PKEY **evp_pub)
 
 }
 
-char pwd[6] = "abcdef";
+char pwd[6] = "123456";
 
 int pass_cb(char *buf, int size, int rwflag, void *u)
 {
@@ -949,7 +949,7 @@ load_intermed_cert_and_key(const char *ca_key_path, EVP_PKEY **ca_key,
         unsigned long err = ERR_get_error();
         char err_buffer[256];
         ERR_error_string_n(err, err_buffer, sizeof(err_buffer));
-        LOG_ERROR("Failure in BIO_read_filename %s", err_buffer);
+        LOG_ERROR("Failure in BIO_read_filename \"%s\" %s", ca_cert_path, err_buffer);
         goto error_cleanup;
     }
     *ca_crt = PEM_read_bio_X509(bio, NULL, NULL, NULL);
@@ -965,7 +965,7 @@ load_intermed_cert_and_key(const char *ca_key_path, EVP_PKEY **ca_key,
         unsigned long err = ERR_get_error();
         char err_buffer[256];
         ERR_error_string_n(err, err_buffer, sizeof(err_buffer));
-        LOG_ERROR("Failure in BIO_read_filename %s", err_buffer);
+        LOG_ERROR("Failure in BIO_read_filename \"%s\" %s", ca_key_path, err_buffer);
         goto error_cleanup;
     }
     *ca_key = PEM_read_bio_PrivateKey(bio, NULL, pass_cb, NULL);
@@ -1264,11 +1264,20 @@ init_ek_certificates(TSS2_SYS_CONTEXT *sys_ctx)
         goto error_cleanup;
     }
 
-    rc = load_intermed_cert_and_key("ca/intermed-ca/private/intermed-ca.key.pem",
+#ifdef SELF_SIGNED_CERTIFICATE
+    /* The self signed root cert will be used as intermediate certificate. */
+    rc = load_intermed_cert_and_key("./ca/root-ca/private/root-ca.key.pem",
                                     &intermed_key,
-                                    "ca/intermed-ca/intermed-ca.cert.pem",
+                                    "./ca/root-ca/root-ca.cert.pem",
                                     &intermed_cert);
-    if (rc != TSS2_RC_SUCCESS) {
+#else
+    rc = load_intermed_cert_and_key("./ca/intermed-ca/private/intermed-ca.key.pem",
+                                    &intermed_key,
+                                    "./ca/intermed-ca/intermed-ca.cert.pem",
+                                    &intermed_cert);
+#endif
+
+     if (rc != TSS2_RC_SUCCESS) {
         LOG_ERROR("Failed to load intermediate key and cert %s\n", Tss2_RC_Decode(rc));
         goto error_cleanup;
     }