diff --git a/other/tests/missing_key/c_a_e.pgp b/other/tests/missing_key/c_a_e.pgp
new file mode 100644
index 0000000..306c61f
Binary files /dev/null and b/other/tests/missing_key/c_a_e.pgp differ
diff --git a/other/tests/missing_key/s_c_a.pgp b/other/tests/missing_key/s_c_a.pgp
new file mode 100644
index 0000000..c4f1798
Binary files /dev/null and b/other/tests/missing_key/s_c_a.pgp differ
diff --git a/other/tests/missing_key/s_c_a_e_e.pgp b/other/tests/missing_key/s_c_a_e_e.pgp
new file mode 100644
index 0000000..fe8143c
Binary files /dev/null and b/other/tests/missing_key/s_c_a_e_e.pgp differ
diff --git a/other/tests/missing_key/s_c_a_es.pgp b/other/tests/missing_key/s_c_a_es.pgp
new file mode 100644
index 0000000..02754a3
Binary files /dev/null and b/other/tests/missing_key/s_c_a_es.pgp differ
diff --git a/other/tests/missing_key/s_c_a_et_es.pgp b/other/tests/missing_key/s_c_a_et_es.pgp
new file mode 100644
index 0000000..3748fd5
Binary files /dev/null and b/other/tests/missing_key/s_c_a_et_es.pgp differ
diff --git a/other/tests/missing_key/s_c_e.pgp b/other/tests/missing_key/s_c_e.pgp
new file mode 100644
index 0000000..6f4a93c
Binary files /dev/null and b/other/tests/missing_key/s_c_e.pgp differ
diff --git a/other/tests/missing_key/valid.pgp b/other/tests/missing_key/valid.pgp
new file mode 100644
index 0000000..90f42b5
Binary files /dev/null and b/other/tests/missing_key/valid.pgp differ
diff --git a/other/tests/policy/expiration_date.pgp b/other/tests/policy/expiration_date.pgp
new file mode 100644
index 0000000..fa522fa
Binary files /dev/null and b/other/tests/policy/expiration_date.pgp differ
diff --git a/other/tests/policy/nist_p_521.pgp b/other/tests/policy/nist_p_521.pgp
new file mode 100644
index 0000000..dd595cb
Binary files /dev/null and b/other/tests/policy/nist_p_521.pgp differ
diff --git a/other/tests/policy/rsa_4096.pgp b/other/tests/policy/rsa_4096.pgp
new file mode 100644
index 0000000..0022a01
Binary files /dev/null and b/other/tests/policy/rsa_4096.pgp differ
diff --git a/other/tests/policy/subkey_nist_p_384.pgp b/other/tests/policy/subkey_nist_p_384.pgp
new file mode 100644
index 0000000..8a715e0
Binary files /dev/null and b/other/tests/policy/subkey_nist_p_384.pgp differ
diff --git a/other/tests/policy/unencrypted.pgp b/other/tests/policy/unencrypted.pgp
new file mode 100644
index 0000000..a9f1a04
Binary files /dev/null and b/other/tests/policy/unencrypted.pgp differ
diff --git a/src/certificate/mod.rs b/src/certificate/mod.rs
index 17e6264..678b231 100644
--- a/src/certificate/mod.rs
+++ b/src/certificate/mod.rs
@@ -144,3 +144,72 @@ impl Certificate {
         }
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use crate::certificate::Certificate;
+
+    #[test]
+    fn missing_key_check() {
+        // is missing an encryption key
+        let s_c_a = include_bytes!("../../other/tests/missing_key/s_c_a.pgp")[..].into();
+        Certificate::check(&s_c_a).expect_err("cert is missing encryption keys");
+
+        // is missing authentication key
+        let s_c_e = include_bytes!("../../other/tests/missing_key/s_c_e.pgp")[..].into();
+        Certificate::check(&s_c_e).expect_err("cert is missing authentication key");
+
+        // is missing signing key
+        let c_a_e = include_bytes!("../../other/tests/missing_key/c_a_e.pgp")[..].into();
+        Certificate::check(&c_a_e).expect_err("cert is missing signing key");
+
+        // has only a key for storage encryption but not one for transport encryption
+        let s_c_a_es = include_bytes!("../../other/tests/missing_key/s_c_a_es.pgp")[..].into();
+        Certificate::check(&s_c_a_es).expect_err("cert is missing transport encryption key");
+
+        // has two keys one with storage encryption, one with transport encryption
+        let s_c_a_et_es =
+            include_bytes!("../../other/tests/missing_key/s_c_a_et_es.pgp")[..].into();
+        Certificate::check(&s_c_a_et_es)
+            .expect_err("cert has two encryption keys for transport and storage encryption");
+
+        // this cert is valid but has two encryption keys
+        let s_c_a_e_e = include_bytes!("../../other/tests/missing_key/s_c_a_e_e.pgp")[..].into();
+        Certificate::check(&s_c_a_e_e).expect_err("cert has two encryption keys");
+
+        // this is a valid cert
+        let valid = include_bytes!("../../other/tests/missing_key/valid.pgp")[..].into();
+        Certificate::check(&valid).expect("cert is valid");
+    }
+
+    #[test]
+    fn invalid_ciphersuite() {
+        // cert uses keys with nist p-521
+        let nist_p_521 = include_bytes!("../../other/tests/policy/nist_p_521.pgp")[..].into();
+        Certificate::check(&nist_p_521).expect_err("cert uses nist p-521");
+
+        // cert has a subkey with nist p-384
+        let subkey_nist_p_384 =
+            include_bytes!("../../other/tests/policy/subkey_nist_p_384.pgp")[..].into();
+        Certificate::check(&subkey_nist_p_384).expect_err("subkey uses nist p-521");
+
+        // cert uses rsa
+        let rsa_key = include_bytes!("../../other/tests/policy/rsa_4096.pgp")[..].into();
+        Certificate::check(&rsa_key).expect_err("cert uses rsa with 4096 key size");
+    }
+
+    #[test]
+    fn unencrypted_secret() {
+        // the whole certificate is unencrypted
+        let unencrypted = include_bytes!("../../other/tests/policy/unencrypted.pgp")[..].into();
+        Certificate::check(&unencrypted).expect_err("cert has unencrypted secrets");
+    }
+
+    #[test]
+    fn expiration_date() {
+        // cert has an expiration date
+        let expiration_date =
+            include_bytes!("../../other/tests/policy/expiration_date.pgp")[..].into();
+        Certificate::check(&expiration_date).expect_err("cert has an expiration date");
+    }
+}