diff --git a/doc/testing/testplan/api_security_service/README.md b/doc/testing/testplan/api_security_service/README.md
index eeed75e4e5120c52cf4c53b02e14f78079c33d3b..224d1c22afbae9a81923295a4aa0940f447ef71e 100644
--- a/doc/testing/testplan/api_security_service/README.md
+++ b/doc/testing/testplan/api_security_service/README.md
@@ -1341,6 +1341,61 @@ At this documentation you will have all information and related files and exampl
         * error invalid_scope
         * error_description=One of the api names does not exist or is not associated with the aef id provided
 
+## Test Case 28: Retrieve Security Context from AEF using PKI-secured API Invoker
+
+**Test ID**:: ***capif_security_api-28***, ***smoke***
+
+**Description**:
+
+  Validate that the AEF can successfully retrieve the security context of an API Invoker when the selected security method is PKI and it contains CA root at ***authenticationInfo*** attribute inside securityInfo.
+
+**Pre-Conditions**:
+
+  * API Invoker is pre-authorised and Provider is also authorized
+
+**Execution Steps**:
+
+1. Register and onboard Invoker at CCF.
+2. Register Provider at CCF, store certificates and Publish Service API **service_1** at CCF with only **PKI** as security method allowed.
+3. Create Security Context indicating all security methods security methods as preferred in ***prefSecurityMethods*** attribute.
+4. Retrieve Security Context by **AEF**.
+
+**Information of Test**:
+
+1. Perform [Invoker Onboarding] and [Provider Registration] 
+
+2. Publish Service API at CCF:
+     * Send **POST** to ccf_publish_url **https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis**
+     * body [service api description] with apiName **service_1**
+       * apiName: **service_1**
+       * securityMethods: **PKI**
+     * Use **APF Certificate**
+
+3. Create Security Context for this Invoker
+     * Send **PUT** **https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}**
+     * body [service security body]
+         * prefSecurityMethods: **['PKI','PSK','OAUTH']**
+     * Using **Invoker Certificate**.
+     * Create Security Information Body with one **securityInfo** for each aef present at each serviceAPIDescription present at Discover.
+
+4. Retrieve Service Security by AEF:
+     * Sent GET **https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}?authenticationInfo=true&authorizationInfo=true**.
+     * Query parameters ***authenticationInfo*** and ***authorizationInfo*** set to true.
+     * Using **AEF Certificate**
+
+**Expected Result**:
+
+1. Response to Security Context Creation:
+      1. **200 OK** response.
+      2. body returned must accomplish **ServiceSecurity** data structure, with:
+          *  ***selSecurityMethod*** inside ***securityInfo***: **PKI**
+
+2. Response to GET Service Security:
+      1. **200 OK** Response.
+      2. body returned must accomplish **ServiceSecurity**
+         1. ***securityinfo*** attribue only contains one item with ***authenticationInfo*** containing CA root.
+
+
 
   [Return To All Test Plans]: ../README.md
   [service security body]: ./service_security.json  "Service Security Request"