diff --git a/tests/hwsim/auth_serv/openssl2.cnf b/tests/hwsim/auth_serv/openssl2.cnf
index 503d140d7..121982bea 100644
--- a/tests/hwsim/auth_serv/openssl2.cnf
+++ b/tests/hwsim/auth_serv/openssl2.cnf
@@ -132,6 +132,7 @@ subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
 authorityInfoAccess = OCSP;URI:http://server.w1.fi:8888/
 #@ALTNAME@
+#@CERTPOL@
 
 extendedKeyUsage = serverAuth
 
diff --git a/tests/hwsim/auth_serv/server-certpol.csr b/tests/hwsim/auth_serv/server-certpol.csr
new file mode 100644
index 000000000..2e1c31a2b
--- /dev/null
+++ b/tests/hwsim/auth_serv/server-certpol.csr
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDlDCCAfwCAQAwTzELMAkGA1UEBhMCRkkxEDAOBgNVBAcMB1R1dXN1bGExDjAM
+BgNVBAoMBXcxLmZpMR4wHAYDVQQDDBVzZXJ2ZXItcG9saWNpZXMudzEuZmkwggGi
+MA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDSpu+bvWBjoXWtS9NvWV6E+mSg
+ZCQLeEj8jWaLL24dRCuuw22UusujNL4LTkeNW9mZpqgHCYdVsjd+R2dcdF8sg3my
+CEe07E/vdVhnxlhMT2jBGBqETXgjSJoUOG5bShLrhsT3TDisY6dh+rNkfIkOKfef
++HXD75DCcZahq2nTwnQTz+j3CZjtOnnWxEZJk3g7FqWp3fDrvUSn3E7O96fJP3gI
+iwXGFy7u3xGg9/VYgHbCNO+5eL7EXL5fXte3zaMSxON2/GSFZGVr2lzJOFA5iXLl
+IO+5C8wyJjx5XkqNeI1q3XM6yEInQw3dBR+8hN9WLX6YUJ6LeLDn/ag5B1cFEvwA
+74nwPwP2k1uwRFdhYUcFbMQWmGG4kzJFOfu7jjuHGF86B1fRmIkdhbde6htReZRc
+2Pq9unUAA+P0A81c2xahrLf0k37smrDmnE5dPLoBMsxwykk8kv7SiIGd2/S7gP7v
+iVDqgJW9xPoo2MCGYTfXmSuOuQZ4mghEF9oZNZcCAwEAAaAAMA0GCSqGSIb3DQEB
+CwUAA4IBgQC9HigmR7s38B1IRYNJ1WwC7UlV4fFTElisntPXiQsDZzvZ0Gufsobx
+Bk/As4DWsQEJ17EvF0LXnsgRG670bnh/YibkaVBF71XLkBAfkXGaa1nw4VNC4EEJ
+sPIcrEQGxhkAJHvT3cZ0zWQnSKbcZbt6Vn0bNoRPihDKTek6dPPI9HamDsu0OBl1
+l8FdMfG4Ge1NquABvgBSrt85XHXfCBYlXBsnJ5XeA8A2t7JtW6C51EVGGachglPB
+ajrtuD00puJ+Cx+a7k5OHniTpAUHS6EOYpcWcUrzIKVCAGlHFd4XOZdD0hP7/eFR
+H57JjFTwDENSCU1GiRwra/ACswR2XWYQH0v+CvbKUx6ZivtKLkuGr4go/YIgVeXq
+WM7b+tDopZVFsjdrbkuefkimYIJdwmZXukM5qP0pKTGNM9zeBaAs9bAKDs42jF2f
+8i9M7DpIzJ9X1Y8xhaBEjodUcCtT5LFPNh0JT5wwkbS2SGgQiti3MdcnQQYqXDUZ
+xd6npHU4F+c=
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/hwsim/auth_serv/server-certpol.key b/tests/hwsim/auth_serv/server-certpol.key
new file mode 100644
index 000000000..fdd41eb1d
--- /dev/null
+++ b/tests/hwsim/auth_serv/server-certpol.key
@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQDSpu+bvWBjoXWt
+S9NvWV6E+mSgZCQLeEj8jWaLL24dRCuuw22UusujNL4LTkeNW9mZpqgHCYdVsjd+
+R2dcdF8sg3myCEe07E/vdVhnxlhMT2jBGBqETXgjSJoUOG5bShLrhsT3TDisY6dh
++rNkfIkOKfef+HXD75DCcZahq2nTwnQTz+j3CZjtOnnWxEZJk3g7FqWp3fDrvUSn
+3E7O96fJP3gIiwXGFy7u3xGg9/VYgHbCNO+5eL7EXL5fXte3zaMSxON2/GSFZGVr
+2lzJOFA5iXLlIO+5C8wyJjx5XkqNeI1q3XM6yEInQw3dBR+8hN9WLX6YUJ6LeLDn
+/ag5B1cFEvwA74nwPwP2k1uwRFdhYUcFbMQWmGG4kzJFOfu7jjuHGF86B1fRmIkd
+hbde6htReZRc2Pq9unUAA+P0A81c2xahrLf0k37smrDmnE5dPLoBMsxwykk8kv7S
+iIGd2/S7gP7viVDqgJW9xPoo2MCGYTfXmSuOuQZ4mghEF9oZNZcCAwEAAQKCAYA/
+Xm6oOCD9971Rw4S4c3cGo9iPk3Bwbt/t8Y+OgVcrwK0vZqTZYBQQZbZh6kuGD8J3
+AXZ8n3Yx5mnhOBO08WEMIAUE9I61s30ceP1+QmGfmyfVJq4bbL6eRqHrQUqZdcAZ
+UDKCflByM4xP4j4DFZ+ZPjC60+CBb9jpVYhN3CX6yP1oVFwtrJpviu7KF8NZMN6z
+T83IOvbVw9sacCDZDBFSbiBq2X+EJsc8nqhL9yu8UvDm3UvcTKF+qrOuNvbH2TkP
++vxSVC8Y81VoBR5ngsQzZc+XDrplMb/BA4UJVncxMJ8kg0U08RwDTYwoLo6vKeus
+xqGESyBbjbC5QpPdX+hjHqmNdjjbYS47zkWrZ8geE5jpIx9A1hePd/MxZeX9rZWp
+lZm8yWF5DMFF6CZxc/FlYI0aXP8C1rV+GBZ5gkRq/6E5hiLbdbbNGB6IENvACIbD
+qQwwuIl8qwIgzBey6e0WYnKH1U00YIUg8OgXXFsjzAw40ltPCjwoRt9KSOp3MxkC
+gcEA/3XjtPvq2eauJjFTJ1ewLmbu2JTV+8mrA39UD0clCqptH7fVaSdxjeniOu7/
+UiPjNoFMr8+Ec6s/RkIWyOeKVjnKhqVLR91XGXz8PzYQMvhKmfEHfe7mCZ94RapU
+Hl2k6ZpJLq384i/5KYDU3i3a+9DD+iZQ4P66HGnCKLILpbV8vz4ZFASp8ffU1snL
+JPLm3UhqTVf4ZeJlL5xbuqk9QHl7jz5UDNpytk5zkEPCDzh0OH+OyZ+nSJiKDok2
+pjM7AoHBANMY0lGwDavtTf9xghLHtevQlJSm/JbBfM7Hp81/UY+Ibl7uRyQXkEdd
+03szMFoP0UbsJHg9hPN07yv3rJpyBh2O5atgWqidYq4nJLBC1a5RALiqfaHnJNhe
+IV4d8+TE0jOLUE2cMuWQFabKpHCGZ4GdTZNMsz1VKCx3cQwQ7GF75ZKBKIYYxMNi
+yIen+dpCmEAvubMXLyB24mGQ3qbIml01cT7R1j1QNVGvXGDRhhRGlyzm8W1decza
+CX9mgUVpVQKBwQCqDWX5EkExsDd5QRhjdiHXobmY/uq643Itr9LbILbttKlTleJA
+T3ttxqVMKdBYc39KxyOvXOqEvRgvwsq8DjWuVGYW322Pdy4Fz4dy5KA/7bxrYWFl
+WWRUP42mgk3gsOGYh5XztupB/0FTeWk6RTgirMPofx0TyT1GsLgIswzB0GAsRkAX
+bUtbwWgzWr0Z6X/5Cb2Joue9mslUujbtuL8Hblbr8cetjrUR2oNfI1vJGgFzoqYA
+XYDT+IbeSkTQugUCgcEAo5pRJk4zylOYZ6kpDjUJoUF+ZdclXBGJERlby8ApDfzG
+zXwOVsKMZ0MobAs4JhSsNTM+8JF9QNIXqxPBCdHlO3NMPI3otVWE7UQZAyJJSVgu
+HvDDfX8O50HMyoycQWjpIFmQWxX7vD73CNV0rGD+R04KmWaQY7Bj+lJ3ospa6RKE
+0g6XwZXgqS0eDUT6N1X1eYmDenE1bQu2V7dXWBuQxzxsECvAxrQrHquyBLdeGsi6
+0WoLIp+XjlRNmBdxiMIhAoHANi3K+ExLqmkbspSOmRUJiDkxxoaZAvc0EfqUBRU1
+8H1syqeBzIKYbIsmipWoHgapJPuDtMKWS/7EihkkHTlMjBMORr/JgF14TYAK5nP1
+/YUUv7UgsJvBFZLLepbbcrNxeb2WC9TsdNlxxpwx89661sBiDrwPztBEqyGPBa/b
+oOwesnmVlDS/BjUUt7xNHHxGMRNE0eOg7x7NIplPb5y7+X5BTwpuuzHRcimUpIbr
+V+nPmVUHX6GcYg7TZpT+bgcO
+-----END PRIVATE KEY-----
diff --git a/tests/hwsim/auth_serv/server-certpol.pem b/tests/hwsim/auth_serv/server-certpol.pem
new file mode 100644
index 000000000..5bc0fd1e3
--- /dev/null
+++ b/tests/hwsim/auth_serv/server-certpol.pem
@@ -0,0 +1,91 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 15624081837803162909 (0xd8d3e3a6cbe3cd1d)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=Root CA
+        Validity
+            Not Before: Jun 11 00:12:34 2019 GMT
+            Not After : Jun 10 00:12:34 2020 GMT
+        Subject: C=FI, O=w1.fi, CN=server-policies.w1.fi
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (3072 bit)
+                Modulus:
+                    00:d2:a6:ef:9b:bd:60:63:a1:75:ad:4b:d3:6f:59:
+                    5e:84:fa:64:a0:64:24:0b:78:48:fc:8d:66:8b:2f:
+                    6e:1d:44:2b:ae:c3:6d:94:ba:cb:a3:34:be:0b:4e:
+                    47:8d:5b:d9:99:a6:a8:07:09:87:55:b2:37:7e:47:
+                    67:5c:74:5f:2c:83:79:b2:08:47:b4:ec:4f:ef:75:
+                    58:67:c6:58:4c:4f:68:c1:18:1a:84:4d:78:23:48:
+                    9a:14:38:6e:5b:4a:12:eb:86:c4:f7:4c:38:ac:63:
+                    a7:61:fa:b3:64:7c:89:0e:29:f7:9f:f8:75:c3:ef:
+                    90:c2:71:96:a1:ab:69:d3:c2:74:13:cf:e8:f7:09:
+                    98:ed:3a:79:d6:c4:46:49:93:78:3b:16:a5:a9:dd:
+                    f0:eb:bd:44:a7:dc:4e:ce:f7:a7:c9:3f:78:08:8b:
+                    05:c6:17:2e:ee:df:11:a0:f7:f5:58:80:76:c2:34:
+                    ef:b9:78:be:c4:5c:be:5f:5e:d7:b7:cd:a3:12:c4:
+                    e3:76:fc:64:85:64:65:6b:da:5c:c9:38:50:39:89:
+                    72:e5:20:ef:b9:0b:cc:32:26:3c:79:5e:4a:8d:78:
+                    8d:6a:dd:73:3a:c8:42:27:43:0d:dd:05:1f:bc:84:
+                    df:56:2d:7e:98:50:9e:8b:78:b0:e7:fd:a8:39:07:
+                    57:05:12:fc:00:ef:89:f0:3f:03:f6:93:5b:b0:44:
+                    57:61:61:47:05:6c:c4:16:98:61:b8:93:32:45:39:
+                    fb:bb:8e:3b:87:18:5f:3a:07:57:d1:98:89:1d:85:
+                    b7:5e:ea:1b:51:79:94:5c:d8:fa:bd:ba:75:00:03:
+                    e3:f4:03:cd:5c:db:16:a1:ac:b7:f4:93:7e:ec:9a:
+                    b0:e6:9c:4e:5d:3c:ba:01:32:cc:70:ca:49:3c:92:
+                    fe:d2:88:81:9d:db:f4:bb:80:fe:ef:89:50:ea:80:
+                    95:bd:c4:fa:28:d8:c0:86:61:37:d7:99:2b:8e:b9:
+                    06:78:9a:08:44:17:da:19:35:97
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                3E:AD:0D:4D:7E:FA:A2:4A:D5:F5:31:EA:B6:B4:BF:83:B1:55:7E:C7
+            X509v3 Authority Key Identifier: 
+                keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
+
+            Authority Information Access: 
+                OCSP - URI:http://server.w1.fi:8888/
+
+            X509v3 Subject Alternative Name: 
+                DNS:server-policies.w1.fi
+            X509v3 Certificate Policies: 
+                Policy: 1.3.6.1.4.1.40808.1.3.1
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+    Signature Algorithm: sha256WithRSAEncryption
+         ad:cc:03:e6:6b:f0:05:4b:27:41:2a:4d:23:dc:89:76:1d:61:
+         7f:b6:06:fc:48:8b:ce:1a:c2:c4:43:49:6a:41:9b:5e:65:ce:
+         a7:e6:62:df:44:96:3e:0e:d9:26:20:f2:2a:53:5d:35:c8:f7:
+         15:d2:60:29:50:c7:20:50:a1:df:7a:41:cd:1d:a6:3a:e8:3f:
+         5d:1c:38:ed:73:f6:ee:41:ff:8a:54:c4:b5:94:ba:b7:c6:cd:
+         82:c8:c2:7d:dc:4d:27:2f:f1:77:40:20:7c:5a:6b:ce:3e:9d:
+         e5:17:d1:5d:0a:79:66:59:fb:c9:08:cc:24:09:4d:53:ae:4f:
+         fb:c6
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAy6gAwIBAgIJANjT46bL480dMA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xOTA2
+MTEwMDEyMzRaFw0yMDA2MTAwMDEyMzRaMD0xCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
+DAV3MS5maTEeMBwGA1UEAwwVc2VydmVyLXBvbGljaWVzLncxLmZpMIIBojANBgkq
+hkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA0qbvm71gY6F1rUvTb1lehPpkoGQkC3hI
+/I1miy9uHUQrrsNtlLrLozS+C05HjVvZmaaoBwmHVbI3fkdnXHRfLIN5sghHtOxP
+73VYZ8ZYTE9owRgahE14I0iaFDhuW0oS64bE90w4rGOnYfqzZHyJDin3n/h1w++Q
+wnGWoatp08J0E8/o9wmY7Tp51sRGSZN4Oxalqd3w671Ep9xOzvenyT94CIsFxhcu
+7t8RoPf1WIB2wjTvuXi+xFy+X17Xt82jEsTjdvxkhWRla9pcyThQOYly5SDvuQvM
+MiY8eV5KjXiNat1zOshCJ0MN3QUfvITfVi1+mFCei3iw5/2oOQdXBRL8AO+J8D8D
+9pNbsERXYWFHBWzEFphhuJMyRTn7u447hxhfOgdX0ZiJHYW3XuobUXmUXNj6vbp1
+AAPj9APNXNsWoay39JN+7Jqw5pxOXTy6ATLMcMpJPJL+0oiBndv0u4D+74lQ6oCV
+vcT6KNjAhmE315krjrkGeJoIRBfaGTWXAgMBAAGjgdYwgdMwCQYDVR0TBAIwADAd
+BgNVHQ4EFgQUPq0NTX76okrV9THqtrS/g7FVfscwHwYDVR0jBBgwFoAUuJLe/YoY
+szDDn1XzM120yCmKQRQwNQYIKwYBBQUHAQEEKTAnMCUGCCsGAQUFBzABhhlodHRw
+Oi8vc2VydmVyLncxLmZpOjg4ODgvMCAGA1UdEQQZMBeCFXNlcnZlci1wb2xpY2ll
+cy53MS5maTAYBgNVHSAEETAPMA0GCysGAQQBgr5oAQMBMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA0GCSqGSIb3DQEBCwUAA4GBAK3MA+Zr8AVLJ0EqTSPciXYdYX+2BvxI
+i84awsRDSWpBm15lzqfmYt9Elj4O2SYg8ipTXTXI9xXSYClQxyBQod96Qc0dpjro
+P10cOO1z9u5B/4pUxLWUurfGzYLIwn3cTScv8XdAIHxaa84+neUX0V0KeWZZ+8kI
+zCQJTVOuT/vG
+-----END CERTIFICATE-----
diff --git a/tests/hwsim/auth_serv/test-ca/index.txt b/tests/hwsim/auth_serv/test-ca/index.txt
index 1379c2417..8c7e2081a 100644
--- a/tests/hwsim/auth_serv/test-ca/index.txt
+++ b/tests/hwsim/auth_serv/test-ca/index.txt
@@ -42,3 +42,4 @@ V	191003221355Z		D8D3E3A6CBE3CD18	unknown	/C=FI/O=w1.fi/CN=server3.w1.fi
 V	191003221355Z		D8D3E3A6CBE3CD19	unknown	/C=FI/O=w1.fi/CN=server5.w1.fi
 V	191003221355Z		D8D3E3A6CBE3CD1A	unknown	/C=FI/O=w1.fi/CN=server6.w1.fi
 V	191003221355Z		D8D3E3A6CBE3CD1B	unknown	/C=FI/O=w1.fi/CN=Test User
+V	200610001234Z		D8D3E3A6CBE3CD1D	unknown	/C=FI/O=w1.fi/CN=server-policies.w1.fi
diff --git a/tests/hwsim/auth_serv/test-ca/serial b/tests/hwsim/auth_serv/test-ca/serial
index d4be25931..929af056a 100644
--- a/tests/hwsim/auth_serv/test-ca/serial
+++ b/tests/hwsim/auth_serv/test-ca/serial
@@ -1 +1 @@
-D8D3E3A6CBE3CD1C
+D8D3E3A6CBE3CD1E
diff --git a/tests/hwsim/auth_serv/update.sh b/tests/hwsim/auth_serv/update.sh
index 6c152f2ab..c46451257 100755
--- a/tests/hwsim/auth_serv/update.sh
+++ b/tests/hwsim/auth_serv/update.sh
@@ -32,6 +32,14 @@ cat openssl2.cnf |
 	> openssl.cnf.tmp
 $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server-eku-client-server.csr -out server-eku-client-server.pem -extensions ext_client_server
 
+cat openssl2.cnf |
+	sed "s/#@CN@/commonName_default = server-policies.w1.fi/" |
+	sed "s/#@ALTNAME@/subjectAltName=DNS:server-policies.w1.fi/" |
+	sed "s/#@CERTPOL@/certificatePolicies = 1.3.6.1.4.1.40808.1.3.1/" \
+	> openssl.cnf.tmp
+#$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:3072 -nodes -keyout server-certpol.key -out server-certpol.csr -outform PEM -sha256
+$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -in server-certpol.csr -out server-certpol.pem -extensions ext_server
+
 echo
 echo "---[ Update user certificates ]-----------------------------------------"
 echo