diff --git a/tests/hwsim/auth_serv/ca-incorrect.pem b/tests/hwsim/auth_serv/ca-incorrect.pem
new file mode 100644
index 000000000..2e9a4926a
--- /dev/null
+++ b/tests/hwsim/auth_serv/ca-incorrect.pem
@@ -0,0 +1,55 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 10855188644662735910 (0x96a5608f1ef9f426)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=FI, CN=TEST - Incorrect Root CA
+        Validity
+            Not Before: Oct 20 16:30:06 2013 GMT
+            Not After : Oct 18 16:30:06 2023 GMT
+        Subject: C=FI, CN=TEST - Incorrect Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:bc:0c:8e:61:1e:5b:ea:b2:6b:cc:8a:8c:38:85:
+                    6d:79:e0:7a:28:d1:b5:55:65:52:f8:e2:2c:74:c1:
+                    00:15:c6:15:84:56:08:f5:e9:eb:bc:07:8d:b7:97:
+                    b6:73:7f:46:77:86:31:d0:f0:7f:95:d6:4a:7c:35:
+                    07:85:43:41:5e:f4:07:84:e6:52:cb:52:38:ef:fe:
+                    6a:16:84:22:45:2e:c1:a1:16:8d:d2:b3:62:c2:05:
+                    77:43:04:2e:d0:52:ee:db:78:10:79:44:49:92:35:
+                    ee:99:83:aa:a0:1d:e6:3d:c3:c6:a2:8e:b6:4d:7f:
+                    d8:11:a9:a3:bc:68:1d:a2:6f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                3E:49:CB:A7:6A:A7:08:4F:DA:99:E4:3C:64:A2:AC:96:BE:99:E4:F2
+            X509v3 Authority Key Identifier: 
+                keyid:3E:49:CB:A7:6A:A7:08:4F:DA:99:E4:3C:64:A2:AC:96:BE:99:E4:F2
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha1WithRSAEncryption
+         31:98:35:4b:d8:d2:8e:55:7a:af:06:f8:ef:6b:24:13:11:12:
+         b0:77:81:b9:ab:50:20:d6:78:99:3f:bc:3d:89:d4:b2:bd:7a:
+         54:03:fc:a7:a4:9f:2b:09:da:75:c9:8d:4c:65:90:c5:df:fc:
+         6b:48:52:f1:0a:aa:57:8a:b1:f5:fe:35:87:87:32:39:b9:ad:
+         80:f0:8e:36:72:63:d5:97:20:e5:b6:06:64:31:5a:66:66:15:
+         85:68:b7:9d:26:8b:46:7f:e8:1b:09:f5:c2:4a:35:7c:49:e2:
+         b2:dc:59:b2:91:8d:85:33:07:09:ca:78:7a:db:b3:e5:58:2c:
+         cc:6a
+-----BEGIN CERTIFICATE-----
+MIICLjCCAZegAwIBAgIJAJalYI8e+fQmMA0GCSqGSIb3DQEBBQUAMDAxCzAJBgNV
+BAYTAkZJMSEwHwYDVQQDDBhURVNUIC0gSW5jb3JyZWN0IFJvb3QgQ0EwHhcNMTMx
+MDIwMTYzMDA2WhcNMjMxMDE4MTYzMDA2WjAwMQswCQYDVQQGEwJGSTEhMB8GA1UE
+AwwYVEVTVCAtIEluY29ycmVjdCBSb290IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQC8DI5hHlvqsmvMiow4hW154Hoo0bVVZVL44ix0wQAVxhWEVgj16eu8
+B423l7Zzf0Z3hjHQ8H+V1kp8NQeFQ0Fe9AeE5lLLUjjv/moWhCJFLsGhFo3Ss2LC
+BXdDBC7QUu7beBB5REmSNe6Zg6qgHeY9w8aijrZNf9gRqaO8aB2ibwIDAQABo1Aw
+TjAdBgNVHQ4EFgQUPknLp2qnCE/ameQ8ZKKslr6Z5PIwHwYDVR0jBBgwFoAUPknL
+p2qnCE/ameQ8ZKKslr6Z5PIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOB
+gQAxmDVL2NKOVXqvBvjvayQTERKwd4G5q1Ag1niZP7w9idSyvXpUA/ynpJ8rCdp1
+yY1MZZDF3/xrSFLxCqpXirH1/jWHhzI5ua2A8I42cmPVlyDltgZkMVpmZhWFaLed
+JotGf+gbCfXCSjV8SeKy3FmykY2FMwcJynh627PlWCzMag==
+-----END CERTIFICATE-----
diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py
index 6cad6638f..269f6dc2b 100644
--- a/tests/hwsim/test_ap_eap.py
+++ b/tests/hwsim/test_ap_eap.py
@@ -151,3 +151,53 @@ def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
                 anonymous_identity="ttls", password="password",
                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
     hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
+
+def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
+    """WPA2-Enterprise negative test - incorrect trust root"""
+    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+    hostapd.add_ap(apdev[0]['ifname'], params)
+    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+                   identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
+                   password="password", phase2="auth=MSCHAPV2",
+                   ca_cert="auth_serv/ca-incorrect.pem",
+                   wait_connect=False)
+
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
+    if ev is None:
+        raise Exception("Association and EAP start timed out")
+
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
+    if ev is None:
+        raise Exception("EAP method selection timed out")
+    if "TTLS" not in ev:
+        raise Exception("Unexpected EAP method")
+
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
+                            "CTRL-EVENT-EAP-SUCCESS",
+                            "CTRL-EVENT-EAP-FAILURE",
+                            "CTRL-EVENT-CONNECTED",
+                            "CTRL-EVENT-DISCONNECTED"], timeout=10)
+    if ev is None:
+        raise Exception("EAP result timed out")
+    if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
+        raise Exception("TLS certificate error not reported")
+
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
+                            "CTRL-EVENT-EAP-FAILURE",
+                            "CTRL-EVENT-CONNECTED",
+                            "CTRL-EVENT-DISCONNECTED"], timeout=10)
+    if ev is None:
+        raise Exception("EAP result(2) timed out")
+    if "CTRL-EVENT-EAP-FAILURE" not in ev:
+        raise Exception("EAP failure not reported")
+
+    ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
+                            "CTRL-EVENT-DISCONNECTED"], timeout=10)
+    if ev is None:
+        raise Exception("EAP result(3) timed out")
+    if "CTRL-EVENT-DISCONNECTED" not in ev:
+        raise Exception("Disconnection not reported")
+
+    ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
+    if ev is None:
+        raise Exception("Network block disabling not reported")