diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
index af085ca6..50136527 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
@@ -38,6 +38,7 @@ import hirs.utils.ReferenceManifestValidator;
 import hirs.validation.CredentialValidator;
 import hirs.validation.SupplyChainCredentialValidator;
 import org.apache.logging.log4j.Level;
+import hirs.validation.SupplyChainValidatorException;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.bouncycastle.util.encoders.Hex;
@@ -51,7 +52,9 @@ import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -415,6 +418,34 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
                 }
             }
 
+            //Validate signing cert
+            Set<CertificateAuthorityCredential> allCerts =
+                    CertificateAuthorityCredential.select(certificateManager).getCertificates();
+            CertificateAuthorityCredential signingCert = null;
+            for (CertificateAuthorityCredential cert : allCerts) {
+                if (Arrays.equals(cert.getEncodedPublicKey(),
+                        referenceManifestValidator.getPublicKey().getEncoded())) {
+                    signingCert = cert;
+                    break;
+                }
+            }
+            KeyStore keyStore = getCaChain(signingCert);
+            try {
+                X509Certificate x509Cert = CertificateAuthorityCredential.select(certificateManager)
+                        .bySubjectKeyIdentifier(signingCert.getSubjectKeyIdentifier())
+                        .getX509Certificate();
+                if (!SupplyChainCredentialValidator.verifyCertificate(x509Cert, keyStore)) {
+                    passed = false;
+                    fwStatus = new AppraisalStatus(FAIL,
+                            "Firmware validation failed: invalid certificate path.");
+                }
+            } catch (IOException e) {
+                LOGGER.error("Error getting X509 cert from manager: " + e.getMessage());
+            } catch (SupplyChainValidatorException e) {
+                LOGGER.error("Error validating cert against keystore: " + e.getMessage());
+            }
+
+
             if (!referenceManifestValidator.isSignatureValid()) {
                 passed = false;
                 fwStatus = new AppraisalStatus(FAIL,