diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
index db33152b..544623fe 100644
--- a/tests/unittests/torture_config.c
+++ b/tests/unittests/torture_config.c
@@ -184,7 +184,9 @@ extern LIBSSH_THREAD int ssh_log_level;
 /* Multiple IdentityFile settings all are applied */
 #define LIBSSH_TESTCONFIG_STRING13 \
    "IdentityFile id_rsa_one\n" \
-   "IdentityFile id_ecdsa_two\n"
+   "CertificateFile id_rsa_one-cert.pub\n" \
+   "IdentityFile id_ecdsa_two\n" \
+   "CertificateFile id_ecdsa_two-cert.pub\n" \
 
 /* +,-,^ features for all supported list */
 /* kex won't work in fips */
@@ -1913,10 +1915,10 @@ static void torture_config_parser_get_cmd(void **state)
     } else if (pid == 0) {
         ssh_execute_command(tok, fileno(outfile), fileno(outfile));
         /* Does not return */
-    } else {        
-        /* parent 
+    } else {
+        /* parent
          * wait child process */
-        wait(NULL); 
+        wait(NULL);
         infile = fopen("output.log", "r");
         assert_non_null(infile);
         p = fgets(buffer, sizeof(buffer), infile);
@@ -2198,6 +2200,7 @@ static void torture_config_match_pattern(void **state)
 static void torture_config_identity(void **state)
 {
     const char *id = NULL;
+    const char *cert = NULL;
     struct ssh_iterator *it = NULL;
     ssh_session session = *state;
 
@@ -2214,6 +2217,20 @@ static void torture_config_identity(void **state)
     assert_non_null(it);
     id = it->data;
     assert_string_equal(id, "id_rsa_one");
+
+    /* The certs are first added to this temporary list before expanding */
+    it = ssh_list_get_iterator(session->opts.certificate_non_exp);
+    assert_non_null(it);
+    cert = it->data;
+    /* The certs are coming as listed in the configuration file */
+    assert_string_equal(cert, "id_rsa_one-cert.pub");
+
+    it = it->next;
+    assert_non_null(it);
+    cert = it->data;
+    assert_string_equal(cert, "id_ecdsa_two-cert.pub");
+    /* and that is all */
+    assert_null(it->next);
 }
 
 /* Make absolute path for config include
diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
index b1c416dd..5ba3bdc6 100644
--- a/tests/unittests/torture_options.c
+++ b/tests/unittests/torture_options.c
@@ -900,6 +900,9 @@ static void torture_options_copy(void **state)
     config = fopen("test_config", "w");
     assert_non_null(config);
     fputs("IdentityFile ~/.ssh/id_ecdsa\n"
+          "IdentityFile ~/.ssh/my_rsa\n"
+          "CertificateFile ~/.ssh/my_rsa-cert.pub\n"
+          "CertificateFile ~/.ssh/id_ecdsa-cert.pub\n"
           "User tester\n"
           "Hostname example.com\n"
           "BindAddress 127.0.0.2\n"
@@ -947,6 +950,19 @@ static void torture_options_copy(void **state)
     assert_null(it);
     assert_null(it2);
 
+    /* Check the certificates match */
+    it = ssh_list_get_iterator(session->opts.certificate_non_exp);
+    assert_non_null(it);
+    it2 = ssh_list_get_iterator(new->opts.certificate_non_exp);
+    assert_non_null(it2);
+    while (it != NULL && it2 != NULL) {
+        assert_string_equal(it->data, it2->data);
+        it = it->next;
+        it2 = it2->next;
+    }
+    assert_null(it);
+    assert_null(it2);
+
     assert_string_equal(session->opts.username, new->opts.username);
     assert_string_equal(session->opts.host, new->opts.host);
     assert_string_equal(session->opts.bindaddr, new->opts.bindaddr);