diff --git a/doc/releasenotes.md b/doc/releasenotes.md
index 2b3cee8cd7863568ab99da3e8812f2ca4396cc8e..106b2cef2c58a27dcff61573cb067b3eb8e81d10 100644
--- a/doc/releasenotes.md
+++ b/doc/releasenotes.md
@@ -17,8 +17,6 @@
 
 ### **Technical Debt Solved**
 
-- Implemented in the API Provider Management the supported features negotiation for the suppFeat field during provider registration. The server now decodes the negotiated feature set based on client capabilities and system support.
-
 #### **Hardening on startup scripts for services interacting with Vault**
 
 The startup scripts of the ***Invoker Management Service***, ***Provider Management Service***, and ***Security Service*** have been improved to ensure reliability when the Vault service takes longer to become ready. These new scripts check responses from the Vault to ensure the returned information is valid before starting each service.
@@ -33,6 +31,18 @@ This will also helps on the restart issue on k8s deployed OpenCAPIF.
 - Documentation about Dynamic Configuration.
 - Documentation about Helper and Register swaggers.
 
+#### SupportedFeatures Negotiation
+
+- Implemented in the API Provider Management the supported features negotiation for the suppFeat field during provider registration. The server now decodes the negotiated feature set based on client capabilities and system support.
+
+- Code Review of Events API according to the supported features negotiation.
+
+- Code Review of Discover API according to the supported features negotiation.
+
+#### Security Method PKI
+
+- Security API Service GET /trustedInvokers/{apiIncokerId} logic updated. Now it will check securityMethod selected and according to that, inserts on authenticationInfo and authorizedInfo attributes the needed information [PKI Flow](https://labs.etsi.org/rep/ocf/community/-/wikis/pki-flow)
+
 ### **Documentation**
 
 #### Improvements over documentation
@@ -46,6 +56,7 @@ This will also helps on the restart issue on k8s deployed OpenCAPIF.
 - New tests related with [Event Filter Feature](./testing/testplan/event_filter/README.md).
 - New tests related with [Vendor Extensibility](./testing/testplan/vendor_extensibility/README.md)
 - [Security Service Testplan](./testing/testplan/api_security_service/README.md) updated according to new features and Technical debts.
+- New test on [Security Service Testplan](./testing/testplan/api_security_service/README.md) related with PKI security Method flow, GET request to security perform by AEF must returns CA_Root on authenticationInfo attribute at SecurityInfo.
 
 ## **Release 2.0.0**
 
diff --git a/doc/testing/testplan/api_security_service/README.md b/doc/testing/testplan/api_security_service/README.md
index eeed75e4e5120c52cf4c53b02e14f78079c33d3b..224d1c22afbae9a81923295a4aa0940f447ef71e 100644
--- a/doc/testing/testplan/api_security_service/README.md
+++ b/doc/testing/testplan/api_security_service/README.md
@@ -1341,6 +1341,61 @@ At this documentation you will have all information and related files and exampl
         * error invalid_scope
         * error_description=One of the api names does not exist or is not associated with the aef id provided
 
+## Test Case 28: Retrieve Security Context from AEF using PKI-secured API Invoker
+
+**Test ID**:: ***capif_security_api-28***, ***smoke***
+
+**Description**:
+
+  Validate that the AEF can successfully retrieve the security context of an API Invoker when the selected security method is PKI and it contains CA root at ***authenticationInfo*** attribute inside securityInfo.
+
+**Pre-Conditions**:
+
+  * API Invoker is pre-authorised and Provider is also authorized
+
+**Execution Steps**:
+
+1. Register and onboard Invoker at CCF.
+2. Register Provider at CCF, store certificates and Publish Service API **service_1** at CCF with only **PKI** as security method allowed.
+3. Create Security Context indicating all security methods security methods as preferred in ***prefSecurityMethods*** attribute.
+4. Retrieve Security Context by **AEF**.
+
+**Information of Test**:
+
+1. Perform [Invoker Onboarding] and [Provider Registration] 
+
+2. Publish Service API at CCF:
+     * Send **POST** to ccf_publish_url **https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis**
+     * body [service api description] with apiName **service_1**
+       * apiName: **service_1**
+       * securityMethods: **PKI**
+     * Use **APF Certificate**
+
+3. Create Security Context for this Invoker
+     * Send **PUT** **https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}**
+     * body [service security body]
+         * prefSecurityMethods: **['PKI','PSK','OAUTH']**
+     * Using **Invoker Certificate**.
+     * Create Security Information Body with one **securityInfo** for each aef present at each serviceAPIDescription present at Discover.
+
+4. Retrieve Service Security by AEF:
+     * Sent GET **https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}?authenticationInfo=true&authorizationInfo=true**.
+     * Query parameters ***authenticationInfo*** and ***authorizationInfo*** set to true.
+     * Using **AEF Certificate**
+
+**Expected Result**:
+
+1. Response to Security Context Creation:
+      1. **200 OK** response.
+      2. body returned must accomplish **ServiceSecurity** data structure, with:
+          *  ***selSecurityMethod*** inside ***securityInfo***: **PKI**
+
+2. Response to GET Service Security:
+      1. **200 OK** Response.
+      2. body returned must accomplish **ServiceSecurity**
+         1. ***securityinfo*** attribue only contains one item with ***authenticationInfo*** containing CA root.
+
+
 
   [Return To All Test Plans]: ../README.md
   [service security body]: ./service_security.json  "Service Security Request"