diff --git a/examples/utils.py b/examples/utils.py
index cdaf5f3..d3a3ec2 100644
--- a/examples/utils.py
+++ b/examples/utils.py
@@ -126,6 +126,7 @@ def process_connection(connection, my_socket):
             connection.close()
     return True
 
+
 # Map the send callback status to a string
 SEND_STATUS = {
     pyngus.SenderLink.ABORTED: "Aborted",
diff --git a/tests/unit_tests/connection.py b/tests/unit_tests/connection.py
index 36b3844..7a1ddb5 100644
--- a/tests/unit_tests/connection.py
+++ b/tests/unit_tests/connection.py
@@ -28,6 +28,7 @@ from string import Template
 from proton import Condition
 from proton import Message
 from proton import SSLUnavailable
+from proton import SSLException
 from proton import SASL
 import pyngus
 
@@ -348,7 +349,9 @@ class APITest(common.Test):
 
     def _test_ssl(self,
                   server_password="server-password",
-                  server_dns="some.server.com"):
+                  server_dns="some.server.com",
+                  client_password=None,
+                  client_dns=None):
 
         def _testpath(file):
             """ Set the full path to the PEM files."""
@@ -359,12 +362,21 @@ class APITest(common.Test):
                    "x-ssl-identity": (_testpath("server-certificate.pem"),
                                       _testpath("server-private-key.pem"),
                                       server_password)}
+        if client_dns:
+            s_props['x-ssl-ca-file'] = _testpath("ca-certificate.pem")
+            s_props['x-ssl-verify-mode'] = 'verify-peer'
+            s_props['x-ssl-peer-name'] = client_dns
+
         server = self.container1.create_connection("server",
                                                    properties=s_props)
 
         c_props = {"x-ssl-ca-file": _testpath("ca-certificate.pem"),
                    "x-ssl-verify-mode": "verify-peer",
                    "x-ssl-peer-name": server_dns}
+        if client_password:
+            c_props['x-ssl-identity'] = (_testpath("client-certificate.pem"),
+                                         _testpath("client-private-key.pem"),
+                                         client_password)
         client = self.container2.create_connection("client",
                                                    properties=c_props)
         server.open()
@@ -384,7 +396,8 @@ class APITest(common.Test):
             assert False, "error expected!"
         except SSLUnavailable:
             raise common.Skipped("SSL not available.")
-        except Exception:
+        except SSLException:
+            # should fail to open the certificate
             pass
 
     def test_ssl_name_fail(self):
@@ -393,7 +406,37 @@ class APITest(common.Test):
             assert False, "error expected!"
         except SSLUnavailable:
             raise common.Skipped("SSL not available.")
-        except Exception:
+        except AssertionError:
+            # connection setup should fail
+            pass
+
+    def test_ssl_client_auth_ok(self):
+        try:
+            self._test_ssl(client_password="client-password",
+                           client_dns="my.client.com")
+        except SSLUnavailable:
+            raise common.Skipped("SSL not available.")
+
+    def test_ssl_client_pw_fail(self):
+        try:
+            self._test_ssl(client_password="bad password",
+                           client_dns="my.client.com")
+            assert False, "error expected!"
+        except SSLUnavailable:
+            raise common.Skipped("SSL not available.")
+        except SSLException:
+            # should fail to open the certificate
+            pass
+
+    def test_ssl_client_name_fail(self):
+        try:
+            self._test_ssl(client_password="client-password",
+                           client_dns="my.Xclient.com")
+            assert False, "error expected!"
+        except SSLUnavailable:
+            raise common.Skipped("SSL not available.")
+        except AssertionError:
+            # connection setup should fail
             pass
 
     def test_io_input_close(self):
diff --git a/tests/unit_tests/ssl_db/setup_ssl.sh b/tests/unit_tests/ssl_db/setup_ssl.sh
index 7f5eeb5..410098f 100755
--- a/tests/unit_tests/ssl_db/setup_ssl.sh
+++ b/tests/unit_tests/ssl_db/setup_ssl.sh
@@ -68,9 +68,9 @@ $OPENSSL pkcs12 -nocerts -passin pass:server-password -in server.pkcs12 -passout
 CLIENT_COMMON_NAME="my.client.com"
 # Create a certificate request for the client certificate.  Use the CA's certificate to sign it:
 $KEYTOOL -storetype pkcs12 -keystore client.pkcs12 -storepass client-password -alias client-certificate -keypass client-password -genkey  -dname "CN=$CLIENT_COMMON_NAME" -validity 99999
-keytool -storetype pkcs12 -keystore client.pkcs12 -storepass client-password -alias client-certificate -keypass client-password -certreq -file client-request.pem
-keytool -storetype pkcs12 -keystore ca.pkcs12 -storepass ca-password -alias ca -keypass ca-password -gencert -rfc -validity 99999 -infile client-request.pem -outfile client-certificate.pem
-openssl pkcs12 -nocerts -passin pass:client-password -in client.pkcs12 -passout pass:client-password -out client-private-key.pem
+$KEYTOOL -storetype pkcs12 -keystore client.pkcs12 -storepass client-password -alias client-certificate -keypass client-password -certreq -file client-request.pem
+$KEYTOOL -storetype pkcs12 -keystore ca.pkcs12 -storepass ca-password -alias ca -keypass ca-password -gencert -rfc -validity 99999 -infile client-request.pem -outfile client-certificate.pem
+$OPENSSL pkcs12 -nocerts -passin pass:client-password -in client.pkcs12 -passout pass:client-password -out client-private-key.pem
 
 # clean up all the unnecessary stuff
 rm *.pkcs12 *-request.pem