diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh
index 5f879cbe71..bc8cc9e0f5 100644
--- a/bin/tests/system/kasp.sh
+++ b/bin/tests/system/kasp.sh
@@ -67,6 +67,8 @@ VIEW3="C1Azf+gGPMmxrUg/WQINP6eV9Y0="
 # PRIVKEY_STAT
 # PUBKEY_STAT
 # STATE_STAT
+# FLAGS
+# KEYDIR
 
 key_key() {
   echo "${1}__${2}"
@@ -132,6 +134,7 @@ key_clear() {
   key_set "$1" "PRIVKEY_STAT" '0'
   key_set "$1" "PUBKEY_STAT" '0'
   key_set "$1" "STATE_STAT" '0'
+  key_set "$1" "KEYDIR" 'none'
 }
 
 # Start clear.
@@ -176,7 +179,7 @@ get_keyids() {
   _zone=$2
   _regex="K${_zone}.+*+*.key"
 
-  find "${_dir}" -mindepth 1 -maxdepth 1 -name "${_regex}" | sed "s,$_dir/K${_zone}.+\([0-9]\{3\}\)+\([0-9]\{5\}\).key,\2,"
+  find "${_dir}" -mindepth 1 -maxdepth 3 -name "${_regex}" | sed "s,.*/K${_zone}.+\([0-9]\{3\}\)+\([0-9]\{5\}\).key,\2,"
 }
 
 # By default log errors and don't quit immediately.
@@ -313,6 +316,13 @@ set_keystate() {
   key_set "$1" "$2" "$3"
 }
 
+# Set key directory.
+# $1: Key to update (KEY1, KEY2, ...)
+# $2: Directory.
+set_keydir() {
+  key_set "$1" "KEYDIR" "$2"
+}
+
 # Check the key $1 with id $2.
 # This requires environment variables to be set.
 #
@@ -324,7 +334,10 @@ set_keystate() {
 # KEY_ID=$(echo $1 | sed 's/^0\{0,4\}//')
 # KEY_CREATED (from the KEY_FILE)
 check_key() {
-  _dir="$DIR"
+  _dir=$(key_get "$1" KEYDIR)
+  if [ "$_dir" = "none" ]; then
+    _dir="$DIR"
+  fi
   _zone="$ZONE"
   _role=$(key_get "$1" ROLE)
   _key_idpad="$2"
@@ -465,7 +478,10 @@ check_key() {
 
 # Check the key timing metadata for key $1.
 check_timingmetadata() {
-  _dir="$DIR"
+  _dir=$(key_get "$1" KEYDIR)
+  if [ "$_dir" = "none" ]; then
+    _dir="$DIR"
+  fi
   _zone="$ZONE"
   _key_idpad=$(key_get "$1" ID)
   _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//')
@@ -644,11 +660,11 @@ check_keytimes() {
 # STATE_FILE="${BASE_FILE}.state"
 # KEY_ID=$(echo $1 | sed 's/^0\{0,4\}//')
 key_unused() {
-  _dir=$DIR
-  _zone=$ZONE
-  _key_idpad=$1
+  _dir="$DIR"
+  _zone="$ZONE"
+  _key_idpad="$1"
   _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//')
-  _alg_num=$2
+  _alg_num="$2"
   _alg_numpad=$(printf "%03d" "$_alg_num")
 
   BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}"
@@ -788,6 +804,8 @@ _check_keys() {
 #
 # It is expected that KEY1, KEY2, KEY3, and KEY4 arrays are set correctly.
 # Found key identifiers are stored in the right key array.
+# Keys are found if they are stored inside $DIR or in a subdirectory up to
+# three levels deeper.
 check_keys() {
   n=$((n + 1))
   echo_i "check keys are created for zone ${ZONE} ($n)"
diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh
index d31b53a464..8102d50597 100644
--- a/bin/tests/system/kasp/clean.sh
+++ b/bin/tests/system/kasp/clean.sh
@@ -35,3 +35,5 @@ rm -f rndc.dnssec.*.out.* rndc.zonestatus.out.*
 rm -f python.out.*
 rm -f *-supported.file
 rm -f created.key-* unused.key-*
+rm -f ns3/ksk/K* ns3/zsk/K*
+rm -rf ./ns3/ksk/ ./ns3/zsk/
diff --git a/bin/tests/system/kasp/ns3/named-fips.conf.in b/bin/tests/system/kasp/ns3/named-fips.conf.in
index 01d7592686..3ca1551c29 100644
--- a/bin/tests/system/kasp/ns3/named-fips.conf.in
+++ b/bin/tests/system/kasp/ns3/named-fips.conf.in
@@ -166,6 +166,14 @@ zone "inline-signing.kasp" {
 	dnssec-policy "default";
 };
 
+/* A zone that uses dnssec-policy with key stores. */
+zone "keystore.kasp" {
+	type primary;
+	file "keystore.kasp.db";
+	inline-signing yes;
+	dnssec-policy "keystore";
+};
+
 /*
  * A configured dnssec-policy but some keys already created.
  */
diff --git a/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in b/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in
index 6778bac4d3..7b775f14b8 100644
--- a/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in
+++ b/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in
@@ -121,3 +121,20 @@ dnssec-policy "checkds-csk" {
 dnssec-policy "ttl" {
 	max-zone-ttl 299;
 };
+
+key-store "ksk" {
+	directory "ksk";
+};
+
+key-store "zsk" {
+	directory "zsk";
+};
+
+dnssec-policy "keystore" {
+	dnskey-ttl 303;
+
+	keys {
+		ksk key-store "ksk" lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-store "zsk" lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+};
diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh
index 4d76d250c6..dd9dc83d8f 100644
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@@ -16,6 +16,10 @@
 
 echo_i "ns3/setup.sh"
 
+# Create key store directories.
+mkdir ksk
+mkdir zsk
+
 setup() {
   zone="$1"
   echo_i "setting up zone: $zone"
@@ -46,7 +50,7 @@ for zn in default dnssec-keygen some-keys legacy-keys pregenerated \
   rumoured rsasha256 rsasha512 ecdsa256 ecdsa384 \
   dynamic dynamic-inline-signing inline-signing \
   checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \
-  manual-rollover multisigner-model2; do
+  manual-rollover multisigner-model2 keystore; do
   setup "${zn}.kasp"
   cp template.db.in "$zonefile"
 done
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 59dd4d391a..e0eb143385 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -127,6 +127,7 @@ set_zone "kasp"
 set_policy "default" "1" "3600"
 set_server "." "10.53.0.1"
 # Key properties.
+key_clear "KEY1"
 set_keyrole "KEY1" "csk"
 set_keylifetime "KEY1" "0"
 set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
@@ -538,6 +539,7 @@ key_clear "KEY4"
 set_zone "checkds-ksk.kasp"
 set_policy "checkds-ksk" "2" "303"
 set_server "ns3" "10.53.0.3"
+
 # Key properties.
 set_keyrole "KEY1" "ksk"
 set_keylifetime "KEY1" "0"
@@ -940,6 +942,55 @@ check_apex
 check_subdomain
 dnssec_verify
 
+#
+# Zone: keystore.kasp.
+#
+set_zone "keystore.kasp"
+set_policy "keystore" "2" "303"
+set_server "ns3" "10.53.0.3"
+# Key properties.
+key_clear "KEY1"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "0"
+set_keydir "KEY1" "ns3/ksk"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
+
+key_clear "KEY2"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "0"
+set_keydir "KEY2" "ns3/zsk"
+set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
+
+# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
+# ZSK: DNSKEY, RRSIG (zsk) published.
+set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS" "hidden"
+
+set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
+# Two keys only.
+key_clear "KEY3"
+key_clear "KEY4"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# Reuse set_keytimes_csk_policy to set the KEY1 keytimes.
+set_keytimes_csk_policy
+created=$(key_get KEY2 CREATED)
+set_keytime "KEY2" "PUBLISHED" "${created}"
+set_keytime "KEY2" "ACTIVE" "${created}"
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
 #
 # Zone: inherit.kasp.
 #