google · hitnik · Feb 17, 2026 · Feb 16, 2026 · Feb 16, 2026 · Feb 16, 2026
diff --git a/modules/test/conn/conf/module_config.json b/modules/test/conn/conf/module_config.json
@@ -40,6 +40,15 @@
           "Verify DHCP Client Configuration"
         ]
       },
+      {
+        "name": "connection.target_ping",
+        "test_description": "The device under test responds to an ICMP echo (ping) request.",
+        "expected_behavior": "The device under test responds to an ICMP echo (ping) request.",
+        "recommendations": [
+          "Configure device to allow ICMP requests (ping)",
+          "Create a firewall exception to allow ICMP requests from LAN"
+        ]
+      },
       {
         "name": "connection.switch.dhcp_snooping",
         "test_description": "The device operates as a DHCP client and operates correctly when DHCP snooping is enabled on a switch.",
@@ -133,15 +142,6 @@
           "Ensure only one DHCP client is running"
         ]
       },
-      {
-        "name": "connection.target_ping",
-        "test_description": "The device under test responds to an ICMP echo (ping) request.",
-        "expected_behavior": "The device under test responds to an ICMP echo (ping) request.",
-        "recommendations": [
-          "Configure device to allow ICMP requests (ping)",
-          "Create a firewall exception to allow ICMP requests from LAN"
-        ]
-      },
       {
         "name": "connection.ipaddr.ip_change",
         "test_description": "The device responds to a ping (ICMP echo request) to the new IP address it has received after the initial DHCP lease has expired.",

diff --git a/modules/test/tls/bin/openssl_connect_intermidiate.sh b/modules/test/tls/bin/openssl_connect_intermidiate.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+IP="$1"
+PORT="$2"
+DEVICE_CERT="$3"
+
+
+response=$(openssl s_client -connect $IP:$PORT -CAfile $DEVICE_CERT -partial_chain)
+
+echo "$response"
diff --git a/modules/test/tls/bin/openssl_connect_root.sh b/modules/test/tls/bin/openssl_connect_root.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+IP="$1"
+PORT="$2"
+DEVICE_CERT="$3"
+
+
+response=$(openssl s_client -connect $IP:$PORT -CAfile $DEVICE_CERT)
+
+echo "$response"
diff --git a/modules/test/tls/python/src/tls_util.py b/modules/test/tls/python/src/tls_util.py
@@ -237,7 +237,10 @@ def validate_signature(self, host, port):
 
       device_cert_path = os.path.join(self._cert_out_dir, self._dev_cert_file)
       signed, ca_file = self.validate_local_ca_signature(
-          device_cert_path=device_cert_path)
+          device_cert_path=device_cert_path,
+          host=host,
+          port=port
+      )
       if signed:
         return True, 'Device signed by cert:' + ca_file
     return False, 'Device certificate has not been signed'
@@ -259,12 +262,21 @@ def _is_cert_root(self, file_path: str) -> bool:
         return True
       return False
 
-  def validate_local_ca_signature(self, device_cert_path):
+  def validate_local_ca_signature(self, device_cert_path, host, port):
     root_script = os.path.join(self._bin_dir, 'check_cert_signature.sh')
     intermidiate_script = os.path.join(
       self._bin_dir,
       'check_cert_intermidiate_signature.sh'
     )
+    root_script_connect =os.path.join(
+      self._bin_dir,
+      'openssl_connect_root.sh'
+    )
+    intermidiate_script_connect =os.path.join(
+      self._bin_dir,
+      'openssl_connect_intermidiate.sh'
+    )
+    openssl_conn_condition = 'Verify return code: 0 (ok)'
 
     # Get a list of all root certificates
     local_certs = os.listdir(self._root_certs_dir)
@@ -273,22 +285,41 @@ def validate_local_ca_signature(self, device_cert_path):
       try:
         # Create the file path
         local_cert_path = os.path.join(self._root_certs_dir, local_cert)
-        LOGGER.info('Checking root cert: ' + str(local_cert_path))
         is_local_cert_root = self._is_cert_root(local_cert_path)
         args = f'"{local_cert_path}" "{device_cert_path}"'
+        args_conn = f' "{host}" "{port}" "{local_cert_path}"'
         is_device_cert_valid = False
+        log_msg = f'Attempting to connect to device with cert: {local_cert}'
         if is_local_cert_root:
           # Check if root cert
           command = f'{os.path.abspath(root_script)} {args}'
           response = util.run_command(command)
           if f'{device_cert_path}: OK' in str(response):
             is_device_cert_valid = True
+          else:
+            LOGGER.info(log_msg)
+            script_abs_path = os.path.abspath(root_script_connect)
+            command = f'{script_abs_path} {args_conn}'
+            response = util.run_command(command)
+            if openssl_conn_condition in str(response):
+              is_device_cert_valid = True
+            else:
+              LOGGER.info('Connection attempt failed with cert: ' + local_cert)
         else:
           # Intermediate cert
           command = f'{os.path.abspath(intermidiate_script)} {args}'
           response = util.run_command(command)
           if f'{device_cert_path}: OK' in str(response):
             is_device_cert_valid = True
+          else:
+            LOGGER.info(log_msg)
+            script_abs_path = os.path.abspath(intermidiate_script_connect)
+            command = f'{script_abs_path} {args_conn}'
+            response = util.run_command(command)
+            if openssl_conn_condition in str(response):
+              is_device_cert_valid = True
+            else:
+              LOGGER.info('Connection attempt failed with cert: ' + local_cert)
         if is_device_cert_valid:
           LOGGER.info('Device signed by cert:' + local_cert)
           return True, local_cert_path

diff --git a/test_vm/create_cert_chain.sh b/test_vm/create_cert_chain.sh
@@ -131,8 +131,8 @@ echo "nginx configured with multi-level CA chain on $VM_IP"
 # 9. Copy nginx_fullchain.pem, int2CA.pem, int1CA.pem, rootCA.pem from VM to certs subdirectory in working directory
 # $SSHPASS scp -o StrictHostKeyChecking=no ${VM_USER}@${VM_IP}:/etc/ssl/certs/nginx_fullchain.pem "$CERTS_DIR/nginx_fullchain.pem"
 $SSHPASS scp -o StrictHostKeyChecking=no ${VM_USER}@${VM_IP}:/etc/ssl/certs/int2CA.pem "$CERTS_DIR/int2CA.pem"
-# $SSHPASS scp -o StrictHostKeyChecking=no ${VM_USER}@${VM_IP}:/etc/ssl/certs/int1CA.pem "$CERTS_DIR/int1CA.pem"
-# $SSHPASS scp -o StrictHostKeyChecking=no ${VM_USER}@${VM_IP}:/etc/ssl/certs/rootCA.pem "$CERTS_DIR/rootCA.pem"
+$SSHPASS scp -o StrictHostKeyChecking=no ${VM_USER}@${VM_IP}:/etc/ssl/certs/int1CA.pem "$CERTS_DIR/int1CA.pem"
+$SSHPASS scp -o StrictHostKeyChecking=no ${VM_USER}@${VM_IP}:/etc/ssl/certs/rootCA.pem "$CERTS_DIR/rootCA.pem"
 echo "Certificates copied from VM to $CERTS_DIR/"
 
 # 10. Add rootCA.pem to trusted store on the client (Ubuntu/Debian)

diff --git a/testing/unit/tls/tls_module_test.py b/testing/unit/tls/tls_module_test.py
@@ -841,7 +841,7 @@ def tls_module_local_ca_cert_test(self):
     print('\ntls_module_trusted_ca_cert_chain_test')
     cert_path = os.path.join(CERT_DIR, 'device_cert_local.crt')
     cert_valid = TLS_UTIL.validate_local_ca_signature(
-        device_cert_path=cert_path)
+        device_cert_path=cert_path, host='10.10.10.14', port='443')
     self.assertEqual(cert_valid[0], True)
 
   def tls_module_ca_cert_spaces_test(self):
@@ -862,7 +862,7 @@ def tls_module_ca_cert_spaces_test(self):
     tls_util = TLSUtil(log, cert_out_dir=OUTPUT_DIR, root_certs_dir=tmp_dir)
 
     cert_valid = tls_util.validate_local_ca_signature(
-        device_cert_path=cert_path)
+        device_cert_path=cert_path, host='10.10.10.14', port='443')
     self.assertEqual(cert_valid[0], True)
 
   def download_public_cert(self, hostname, port=443):