diff --git a/utils/loadexternal.c b/utils/loadexternal.c
index ff4b46f..d6b6c72 100644
--- a/utils/loadexternal.c
+++ b/utils/loadexternal.c
@@ -40,7 +40,7 @@
   DER example:
 
   Create a key pair in PEM format
-  
+
   > openssl genrsa -out keypair.pem -aes256 -passout pass:rrrr 2048
   > openssl ecparam -name prime256v1 -genkey -noout -out tmpkeypairecc.pem
 
@@ -84,7 +84,7 @@ int main(int argc, char *argv[])
     char 			hierarchyChar = 0;
     TPMI_RH_HIERARCHY		hierarchy = TPM_RH_NULL;
     int				keyType = TYPE_SI;
-    TPMI_ALG_SIG_SCHEME 	scheme = TPM_ALG_RSASSA;
+    TPMI_ALG_SIG_SCHEME 	scheme = TPM_ALG_ERROR;		/* illegal value marker */
     uint32_t 			keyTypeSpecified = 0;
     TPMI_ALG_PUBLIC 		algPublic = TPM_ALG_RSA;
     TPMI_ALG_HASH		halg = TPM_ALG_SHA256;
@@ -106,7 +106,7 @@ int main(int argc, char *argv[])
     setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
     TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
     tssUtilsVerbose = FALSE;
-    
+
     /* command line argument defaults */
     for (i=1 ; (i<argc) && (rc == 0) ; i++) {
 	if (strcmp(argv[i],"-hi") == 0) {
@@ -114,6 +114,7 @@ int main(int argc, char *argv[])
 	    if (i < argc) {
 		if (argv[i][0] != 'e' && argv[i][0] != 'o' &&
 		    argv[i][0] != 'p' && argv[i][0] != 'n') {
+		    printf("Illegal -hi parameter %c\n", argv[i][0]);
 		    printUsage();
 		}
 		hierarchyChar = argv[i][0];
@@ -122,7 +123,6 @@ int main(int argc, char *argv[])
 		printf("Missing parameter for -hi\n");
 		printUsage();
 	    }
-	    
 	}
 	else if (strcmp(argv[i],"-halg") == 0) {
 	    i++;
@@ -181,34 +181,39 @@ int main(int argc, char *argv[])
 	    algPublic = TPM_ALG_ECC;
 	}
 	else if (strcmp(argv[i],"-scheme") == 0) {
-	    if (keyType == TYPE_SI) {
-		i++;
-		if (i < argc) {
-		    if (strcmp(argv[i],"rsassa") == 0) {
-			scheme = TPM_ALG_RSASSA;
-		    }
-		    else if (strcmp(argv[i],"rsapss") == 0) {
-			scheme = TPM_ALG_RSAPSS;
-		    }
-		    else {
-			printf("Bad parameter %s for -scheme\n", argv[i]);
-			printUsage();
-		    }
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"rsassa") == 0) {
+		    scheme = TPM_ALG_RSASSA;
+		}
+		else if (strcmp(argv[i],"rsapss") == 0) {
+		    scheme = TPM_ALG_RSAPSS;
+		}
+		else if (strcmp(argv[i],"rsapkcs1") == 0) {
+		    scheme = TPM_ALG_RSAES;
+		}
+		else if (strcmp(argv[i],"rsaoaep") == 0) {
+		    scheme = TPM_ALG_OAEP;
+		}
+		else if (strcmp(argv[i],"null") == 0) {
+		    scheme = TPM_ALG_NULL;
+		}
+		else {
+		    printf("Bad parameter %s for -scheme\n", argv[i]);
+		    printUsage();
 		}
 	    }
 	    else {
-		printf("-scheme can only be specified for signing key\n");
+		printf("-scheme option needs a value\n");
 		printUsage();
 	    }
         }
 	else if (strcmp(argv[i], "-st") == 0) {
 	    keyType = TYPE_ST;
-	    scheme = TPM_ALG_NULL;
 	    keyTypeSpecified++;
 	}
 	else if (strcmp(argv[i], "-den") == 0) {
 	    keyType = TYPE_DEN;
-	    scheme = TPM_ALG_NULL;
 	    keyTypeSpecified++;
 	}
 	else if (strcmp(argv[i], "-si") == 0) {
@@ -363,6 +368,35 @@ int main(int argc, char *argv[])
 	    keyType = TYPE_DEN;
 	}
     }
+    /* set scheme defaults if scheme has not bee specified */
+    if (scheme == TPM_ALG_ERROR) {
+	if (keyType == TYPE_DEN) {
+	    scheme = TPM_ALG_NULL;
+	}
+	else if (keyType == TYPE_SI) {
+	    scheme = TPM_ALG_RSASSA;
+	}
+	else if (keyType == TYPE_ST) {
+	    scheme = TPM_ALG_NULL;
+	}
+    }
+    /* check for valid scheme */
+    if (keyType == TYPE_SI) {
+	if ((scheme != TPM_ALG_NULL) &&
+	    (scheme != TPM_ALG_RSASSA) &&
+	    (scheme != TPM_ALG_RSAPSS)) {
+	    printf("Illegal scheme %04x for signing key\n", scheme);
+	    printUsage();
+	}
+    }
+    if (keyType == TYPE_DEN) {
+	if ((scheme != TPM_ALG_NULL) &&
+	    (scheme != TPM_ALG_RSAES) &&
+	    (scheme != TPM_ALG_OAEP)) {
+	    printf("Illegal scheme %04x for decryption key\n", scheme);
+	    printUsage();
+	}
+    }
     /* Table 50 - TPMI_RH_HIERARCHY primaryHandle */
     if (rc == 0) {
 	if (hierarchyChar == 'e') {
@@ -465,7 +499,7 @@ int main(int argc, char *argv[])
     /* call TSS to execute the command */
     if (rc == 0) {
 	rc = TSS_Execute(tssContext,
-			 (RESPONSE_PARAMETERS *)&out, 
+			 (RESPONSE_PARAMETERS *)&out,
 			 (COMMAND_PARAMETERS *)&in,
 			 NULL,
 			 TPM_CC_LoadExternal,
@@ -513,23 +547,26 @@ static void printUsage(void)
     printf("\t[-hi\thierarchy (e, o, p, n) (default NULL)]\n");
     printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
     printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
-    printf("\n");
     printf("\t[Asymmetric Key Algorithm]\n");
-    printf("\n");
-    printf("\t[-rsa\t(default)]\n");
-    printf("\t[-ecc\t]\n");
-    printf("\n");
-    printf("\t-ipu\tTPM2B_PUBLIC public key file name\n");
-    printf("\t-ipem\tPEM format public key file name\n");
-    printf("\t-ider\tDER format plaintext key pair file name\n");
+    printf("\t\t[-rsa\t(default)]\n");
+    printf("\t\t[-ecc\t]\n");
+    printf("\tInput\n");
+    printf("\t\t-ipu\tTPM2B_PUBLIC public key file name\n");
+    printf("\t\t-ipem\tPEM format public key file name\n");
+    printf("\t\t-ider\tDER format plaintext key pair file name\n");
     printf("\t[-pwdk\tpassword for DER key (default empty)]\n");
     printf("\t[-uwa\tuserWithAuth attribute clear (default set)]\n");
-    printf("\t[-si\tsigning (default) RSA]\n");
-    printf("\t[-scheme  for signing key (default RSASSA scheme)]\n");
-    printf("\t\trsassa\n");
-    printf("\t\trsapss\n");
-    printf("\t[-st\tstorage (default NULL scheme)]\n");
-    printf("\t[-den\tdecryption, (unrestricted, RSA and EC NULL scheme)\n");
+    printf("\t[Key Type]\n");
+    printf("\t\t[-si\tsigning (default)\n");
+    printf("\t\t[-st\tdecryption]\n");
+    printf("\t\t[-den\tdecryption]\n");
+    printf("\t[-scheme]\n");
+    printf("\t\trsassa\tdefault for a signing key\n");
+    printf("\t\trsapss\tvalid for a signing key\n");
+    printf("\t\trsapkcs1\tvalid for a decryption key\n");
+    printf("\t\trsaoaep\tvalid for a decryption key\n");
+    printf("\t\tnull\tdefault for decryption key, valid for any key\n");
+
     printf("\t[-ns\tadditionally print Name in hex ascii on one line]\n");
     printf("\t\tUseful to paste into policy\n");
     printf("\n");
@@ -540,5 +577,5 @@ static void printUsage(void)
     printf("\t80\taudit\n");
     printf("\n");
     printf("Depending on the build configuration, some hash algorithms may not be available.\n");
-    exit(1);	
+    exit(1);
 }
diff --git a/utils/man/man1/tssloadexternal.1 b/utils/man/man1/tssloadexternal.1
index 8d494a7..50bbe78 100644
--- a/utils/man/man1/tssloadexternal.1
+++ b/utils/man/man1/tssloadexternal.1
@@ -1,5 +1,4 @@
-'.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.13.
-.TH TSSLOADEXTERNAL "1" "November 2020" "tssloadexternal 1.6" "User Commands"
+.TH TSSLOADEXTERNAL "1" "December 2023" "tssloadexternal 2.2" "User Commands"
 .SH NAME
 tssloadexternal \- Runs tssloadexternal
 .SH DESCRIPTION
@@ -24,42 +23,46 @@ scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
 [\-ecc
 ]
 .TP
+[Input]
+.IP
 \fB\-ipu\fR
 TPM2B_PUBLIC public key file name
-.TP
+.IP
 \fB\-ipem\fR
 PEM format public key file name
-.TP
+.IP
 \fB\-ider\fR
 DER format plaintext key pair file name
-.TP
+.IP
 [\-pwdk
 password for DER key (default empty)]
-.TP
+.IP
 [\-uwa
 userWithAuth attribute clear (default set)]
 .TP
+[Key Type]
+.IP
 [\-si
-signing (default) RSA]
-.TP
-[\-scheme
-for signing key (default RSASSA scheme)]
+signing (default)]
 .IP
-rsassa
-rsapss
-.TP
 [\-st
-storage (default NULL scheme)]
-.TP
+decryption]
+.IP
 [\-den
-decryption, (unrestricted, RSA and EC NULL scheme)
+decryption]
+.TP
+[\-scheme
+.IP
+for signing key: rsassa (default) rsapss null ]
+.IP
+for decryption key: rsapkcs1 rsaoaep null (default) ]
 .TP
 [\-ns
 additionally print Name in hex ascii on one line]
 Useful to paste into policy
 .HP
 \fB\-se[0\-2]\fR session handle / attributes (default NULL)
-.TP
+.IP
 01
 continue
 .IP
diff --git a/utils/regtests/testhelp.bat b/utils/regtests/testhelp.bat
index 31f13e6..c365010 100644
--- a/utils/regtests/testhelp.bat
+++ b/utils/regtests/testhelp.bat
@@ -4,7 +4,7 @@ REM #			TPM2 regression test					#
 REM #			     Written by Ken Goldman				#
 REM #		       IBM Thomas J. Watson Research Center			#
 REM #										#
-REM # (c) Copyright IBM Corporation 2022					#
+REM # (c) Copyright IBM Corporation 2023					#
 REM # 										#
 REM # All rights reserved.							#
 REM # 										#
@@ -3145,72 +3145,180 @@ IF !ERRORLEVEL! EQU 0 (
    exit /B 1
 )
 
-echo "loadexternal"
-%TPM_EXE_PATH%loadexternal -v -h > run.out
+echo "loadexternal 0"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -v -h  > run.out
 IF !ERRORLEVEL! EQU 0 (
    exit /B 1
 )
 
-echo "loadexternal"
-%TPM_EXE_PATH%loadexternal -v -xxxxx > run.out
+echo "loadexternal 1"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -v -xxxxx > run.out
 IF !ERRORLEVEL! EQU 0 (
    exit /B 1
 )
 
-echo "loadexternal"
-%TPM_EXE_PATH%loadexternal -se0 > run.out
+echo "loadexternal 2"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -se0 > run.out
 IF !ERRORLEVEL! EQU 0 (
    exit /B 1
 )
 
-echo "loadexternal"
-%TPM_EXE_PATH%loadexternal -se0 02000000 > run.out
+echo "loadexternal 3"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -se0 02000000 > run.out
 IF !ERRORLEVEL! EQU 0 (
    exit /B 1
 )
 
-echo "loadexternal"
-%TPM_EXE_PATH%loadexternal -se0 02000000 100 > run.out
+echo "loadexternal 4"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -se0 02000000 100 > run.out
 IF !ERRORLEVEL! EQU 0 (
    exit /B 1
 )
 
-echo "loadexternal"
-%TPM_EXE_PATH%loadexternal -se1 > run.out
+echo "loadexternal 5"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -se1 > run.out
 IF !ERRORLEVEL! EQU 0 (
    exit /B 1
 )
 
-echo "loadexternal"
-%TPM_EXE_PATH%loadexternal -se1 02000000 > run.out
+echo "loadexternal 6"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -se1 02000000 > run.out
 IF !ERRORLEVEL! EQU 0 (
    exit /B 1
 )
 
-echo "loadexternal"
-%TPM_EXE_PATH%loadexternal -se1 02000000 100 > run.out
+echo "loadexternal 7"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -se1 02000000 100 > run.out
 IF !ERRORLEVEL! EQU 0 (
    exit /B 1
 )
 
-echo "loadexternal"
-%TPM_EXE_PATH%loadexternal -se2 > run.out
+echo "loadexternal 8"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -se2 > run.out
 IF !ERRORLEVEL! EQU 0 (
    exit /B 1
 )
 
-echo "loadexternal"
-%TPM_EXE_PATH%loadexternal -se2 02000000 > run.out
+echo "loadexternal 9"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -se2 02000000 > run.out
 IF !ERRORLEVEL! EQU 0 (
    exit /B 1
 )
 
-echo "loadexternal"
-%TPM_EXE_PATH%loadexternal -se2 02000000 100 > run.out
+echo "loadexternal 10"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -se2 02000000 100 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "loadexternal 11"
+%TPM_EXE_PATH%loadexternal > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "loadexternal 12"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -hi > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "loadexternal 13"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -hi x > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "loadexternal 14"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -nalg > run.out
 IF !ERRORLEVEL! EQU 0 (
    exit /B 1
 )
 
+echo "loadexternal 15"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -nalg x > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "loadexternal 16"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -halg > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "loadexternal 17"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -halg x > run.out checkFailure $?
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "loadexternal 18"
+%TPM_EXE_PATH%loadexternal -xxx > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "loadexternal 19"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -pwdk > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "loadexternal 20"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -si -scheme > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "loadexternal 21"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -si -scheme rsapkcs1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "loadexternal 22"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -si -scheme rsaoaep > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "loadexternal 23"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -den -scheme rsassa > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "loadexternal 24"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -den -scheme rsapss > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "loadexternal 25"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -si -scheme null > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "loadexternal 26"
+%TPM_EXE_PATH%loadexternal -ipem signrsa3072pub.pem -den -scheme null > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
 echo "makecredential"
 %TPM_EXE_PATH%makecredential -v -h > run.out
 IF !ERRORLEVEL! EQU 0 (
diff --git a/utils/regtests/testhelp.sh b/utils/regtests/testhelp.sh
index f449dbc..8fb0732 100755
--- a/utils/regtests/testhelp.sh
+++ b/utils/regtests/testhelp.sh
@@ -2116,50 +2116,122 @@ echo "load"
 ${PREFIX}load -se2 02000000 100 > run.out
 checkFailure $?
 
-echo "loadexternal"
-${PREFIX}loadexternal -v -h > run.out
+echo "loadexternal 0"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -v -h  > run.out
 checkFailure $?
 
-echo "loadexternal"
-${PREFIX}loadexternal -v -xxxxx > run.out
+echo "loadexternal 1"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -v -xxxxx > run.out
 checkFailure $?
 
-echo "loadexternal"
-${PREFIX}loadexternal -se0 > run.out
+echo "loadexternal 2"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -se0 > run.out
 checkFailure $?
 
-echo "loadexternal"
-${PREFIX}loadexternal -se0 02000000 > run.out
+echo "loadexternal 3"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -se0 02000000 > run.out
 checkFailure $?
 
-echo "loadexternal"
-${PREFIX}loadexternal -se0 02000000 100 > run.out
+echo "loadexternal 4"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -se0 02000000 100 > run.out
 checkFailure $?
 
-echo "loadexternal"
-${PREFIX}loadexternal -se1 > run.out
+echo "loadexternal 5"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -se1 > run.out
 checkFailure $?
 
-echo "loadexternal"
-${PREFIX}loadexternal -se1 02000000 > run.out
+echo "loadexternal 6"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -se1 02000000 > run.out
 checkFailure $?
 
-echo "loadexternal"
-${PREFIX}loadexternal -se1 02000000 100 > run.out
+echo "loadexternal 7"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -se1 02000000 100 > run.out
 checkFailure $?
 
-echo "loadexternal"
-${PREFIX}loadexternal -se2 > run.out
+echo "loadexternal 8"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -se2 > run.out
 checkFailure $?
 
-echo "loadexternal"
-${PREFIX}loadexternal -se2 02000000 > run.out
+echo "loadexternal 9"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -se2 02000000 > run.out
 checkFailure $?
 
-echo "loadexternal"
-${PREFIX}loadexternal -se2 02000000 100 > run.out
+echo "loadexternal 10"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -se2 02000000 100 > run.out
+checkFailure $?
+
+echo "loadexternal 11"
+${PREFIX}loadexternal > run.out
+checkFailure $?
+
+echo "loadexternal 12"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -hi > run.out
+checkFailure $?
+
+echo "loadexternal 13"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -hi x > run.out
+checkFailure $?
+
+echo "loadexternal 14"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -nalg > run.out
+checkFailure $?
+
+echo "loadexternal 15"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -nalg x > run.out
 checkFailure $?
 
+echo "loadexternal 16"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -halg > run.out
+checkFailure $?
+
+echo "loadexternal 17"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -halg x > run.out checkFailure $?
+checkFailure $?
+
+echo "loadexternal 18"
+${PREFIX}loadexternal -xxx > run.out
+checkFailure $?
+
+echo "loadexternal 19"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -pwdk > run.out
+checkFailure $?
+
+echo "loadexternal 20"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -si -scheme > run.out
+checkFailure $?
+
+echo "loadexternal 21"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -si -scheme rsapkcs1 > run.out
+checkFailure $?
+
+echo "loadexternal 22"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -si -scheme rsaoaep > run.out
+checkFailure $?
+
+echo "loadexternal 23"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -den -scheme rsassa > run.out
+checkFailure $?
+
+echo "loadexternal 24"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -den -scheme rsapss > run.out
+checkFailure $?
+
+echo "loadexternal 25"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -si -scheme null > run.out
+checkSuccess $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "loadexternal 26"
+${PREFIX}loadexternal -ipem signrsa3072pub.pem -den -scheme null > run.out
+checkSuccess $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
 echo "makecredential"
 ${PREFIX}makecredential -v -h > run.out
 checkFailure $?
diff --git a/utils/regtests/testrsa.bat b/utils/regtests/testrsa.bat
index c5c9f5d..eea7065 100644
--- a/utils/regtests/testrsa.bat
+++ b/utils/regtests/testrsa.bat
@@ -39,13 +39,20 @@ REM ############################################################################
 
 setlocal enableDelayedExpansion
 
+echo ""
+echo "RSA Decryption"
+echo ""
+
 for %%B in (2048 3072) do (
 
-    echo "generate the %%B encryption key with openssl"
+    echo "Generate the %%B encryption key with openssl"
     openssl genrsa -out tmpkeypairrsa%%B.pem -aes256 -passout pass:rrrr 2048
 
     echo "Convert key pair to plaintext DER format"
     openssl rsa -inform pem -outform der -in tmpkeypairrsa%%B.pem -out tmpkeypairrsa%%B.der -passin pass:rrrr > run.out
+
+    echo "Convert %%B keypair to public key"
+    openssl pkey -inform pem -outform pem -in tmpkeypairrsa%%B.pem -passin pass:rrrr -pubout -out tmppubkey%%B.pem
 )
 
 echo ""
@@ -204,6 +211,64 @@ IF !ERRORLEVEL! NEQ 0 (
    exit /B 1
 )
 
+echo ""
+echo "Import PEM RSA encryption key userWithAuth test"
+echo ""
+
+echo "Import the RSA 2048 encryption key under the primary key 80000000"
+%TPM_EXE_PATH%importpem -hp 80000000 -den -pwdp sto -ipem tmpkeypairrsa2048.pem -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the RSA 2048 encryption key 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "RSA encrypt with the encryption key"
+%TPM_EXE_PATH%rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "RSA decrypt with the decryption key and password"
+%TPM_EXE_PATH%rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the encryption key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Import the RSA 2048 encryption key under the primary key, userWithAuth false"
+%TPM_EXE_PATH%importpem -hp 80000000 -si -pwdp sto -ipem tmpkeypairrsa2048.pem -pwdk rrrr -uwa -opu tmppub.bin -opr tmppriv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the RSA 2048 encryption key"
+%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "RSA decrypt with the decryption key and password - should fail"
+%TPM_EXE_PATH%rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Flush the encryption key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
 echo ""
 echo "Loadexternal DER encryption key"
 echo ""
@@ -262,7 +327,7 @@ echo "Encrypt with OpenSSL OAEP, decrypt with TPM"
 echo ""
 
 echo "Create OAEP encryption key"
-%TPM_EXE_PATH%create -hp 80000000 -pwdp sto -deo -kt f -kt p -halg sha256 -opr tmpprivkey.bin -opu tmppubkey.bin -opem tmppubkey.pem > run.out	
+%TPM_EXE_PATH%create -hp 80000000 -pwdp sto -deo -kt f -kt p -halg sha256 -opr tmpprivkey.bin -opu tmppubkey.bin -opem tmppubkey.pem > run.out
 IF !ERRORLEVEL! NEQ 0 (
    exit /B 1
 )
@@ -302,7 +367,7 @@ echo "Child RSA decryption key RSAES"
 echo ""
 
 echo "Create RSAES encryption key"
-%TPM_EXE_PATH%create -hp 80000000 -pwdp sto -dee -opr deepriv.bin -opu deepub.bin > run.out	
+%TPM_EXE_PATH%create -hp 80000000 -pwdp sto -dee -opr deepriv.bin -opu deepub.bin > run.out
 IF !ERRORLEVEL! NEQ 0 (
    exit /B 1
 )
@@ -343,7 +408,7 @@ echo "Primary RSA decryption key RSAES"
 echo ""
 
 echo "Create Primary RSAES encryption key"
-%TPM_EXE_PATH%createprimary -hi p -dee -halg sha256 -opem tmppubkey.pem > run.out	
+%TPM_EXE_PATH%createprimary -hi p -dee -halg sha256 -opem tmppubkey.pem > run.out
 IF !ERRORLEVEL! NEQ 0 (
    exit /B 1
 )
@@ -407,6 +472,49 @@ IF !ERRORLEVEL! NEQ 0 (
    exit /B 1
 )
 
+echo ""
+echo "OpenSSL key, Encrypt with OpenSSL, decrypt with TPM"
+echo ""
+
+REM The rsa_oaep_md:sha256 parameter is ignored for pkcs1
+
+for %%B in (2048 3072) do (
+
+    for %%S in (oaep pkcs1) do (
+
+    	echo "Encrypt using OpenSSL %%S and the %%B PEM public key"
+	openssl pkeyutl -encrypt -inkey tmppubkey%%B.pem -pubin -pkeyopt rsa_padding_mode:%%S -pkeyopt rsa_oaep_md:sha256 -in policies/aaa -out enc.bin > run.out 2>&1
+	IF !ERRORLEVEL! NEQ 0 (
+	    exit /B 1
+	)
+
+	echo "Loadexternal the openssl %%B %%S key pair in the NULL hierarchy 80000001"
+	%TPM_EXE_PATH%loadexternal -den -scheme rsa%%S -ider tmpkeypairrsa%%B.der -pwdk rrrr > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	    exit /B 1
+	)
+
+	echo "Decrypt using TPM key at 80000001"
+	%TPM_EXE_PATH%rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	    exit /B 1
+	)
+
+	echo "Verify the decrypt result"
+	diff policies/aaa dec.bin > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	    exit /B 1
+	)
+
+	echo "Flush the encryption key"
+	%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	    exit /B 1
+        )
+    )
+)
+
+
 REM cleanup
 
 rm -f tmp.bin
@@ -421,6 +529,14 @@ rm -f tmpkeypairrsa2048.der
 rm -f tmpkeypairrsa2048.pem
 rm -f tmpkeypairrsa3072.der
 rm -f tmpkeypairrsa3072.pem
+rm -f tmpkeypairrsaenc2048.pem
+rm -f tmpkeypairrsadec2048.pem
+rm -f tmppubkey2048.bin
+rm -f tmppubkey2048.pem
+rm -f tmpkeypairrsaenc3072.pem
+rm -f tmpkeypairrsadec3072.pem
+rm -f tmppubkey3072.bin
+rm -f tmppubkey3072.pem
 rm -f tmppubkey.bin
 rm -f tmppubkey.pem
 rm -f tmpprivkey.bin
@@ -429,6 +545,5 @@ exit /B 0
 
 REM  getcapability -cap 1 -pr 80000000
 REM  getcapability -cap 1 -pr 02000000
-REM 
+REM
 REM  flushcontext -ha 80000001
- 
diff --git a/utils/regtests/testrsa.sh b/utils/regtests/testrsa.sh
index 15577b6..854fb62 100755
--- a/utils/regtests/testrsa.sh
+++ b/utils/regtests/testrsa.sh
@@ -7,7 +7,7 @@
 #			     Written by Ken Goldman				#
 #		       IBM Thomas J. Watson Research Center			#
 #										#
-# (c) Copyright IBM Corporation 2015 - 2022					#
+# (c) Copyright IBM Corporation 2015 - 2023					#
 # 										#
 # All rights reserved.								#
 # 										#
@@ -52,7 +52,7 @@ echo ""
 # -----BEGIN ENCRYPTED PRIVATE KEY-----
 #
 
-echo "Generate the encryption key with openssl"
+echo "Generate the encryption keys with openssl"
 if   [ ${CRYPTOLIBRARY} == "openssl" ]; then
 
     for BITS in 2048 3072
@@ -64,6 +64,9 @@ if   [ ${CRYPTOLIBRARY} == "openssl" ]; then
 	echo "Convert key pair to plaintext DER format"
 	openssl pkey -inform pem -in tmpkeypairrsa${BITS}.pem -outform der -out tmpkeypairrsa${BITS}.der -passin pass:rrrr > run.out 2>&1
 
+	echo "Convert ${BITS} keypair to public key"
+	openssl pkey -inform pem -outform pem -in tmpkeypairrsa${BITS}.pem -passin pass:rrrr -pubout -out tmppubkey${BITS}.pem
+
     done
 
 
@@ -302,39 +305,44 @@ if   [ ${CRYPTOLIBRARY} == "openssl" ]; then
 fi
 
 echo ""
-echo "Encrypt with OpenSSL OAEP, decrypt with TPM"
+echo "TPM key, Encrypt with OpenSSL OAEP, decrypt with TPM"
 echo ""
 
-echo "Create OAEP encryption key"
-${PREFIX}create -hp 80000000 -pwdp sto -deo -kt f -kt p -halg sha256 -opr tmpprivkey.bin -opu tmppubkey.bin -opem tmppubkey.pem > run.out
-checkSuccess $?
+for BITS in 2048 3072
+do
 
-echo "Load encryption key at 80000001"
-${PREFIX}load -hp 80000000 -pwdp sto -ipr tmpprivkey.bin -ipu tmppubkey.bin  > run.out
-checkSuccess $?
+    echo "Create ${BITS} OAEP encryption key"
+    ${PREFIX}create -hp 80000000 -pwdp sto -deo -kt f -kt p -rsa ${BITS} -halg sha256 -opr tmpprivkey.bin -opu tmppubkey.bin -opem tmppubkey.pem > run.out
+    checkSuccess $?
 
-echo "Encrypt using OpenSSL and the PEM public key"
-openssl pkeyutl -encrypt -inkey tmppubkey.pem -pubin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -in policies/aaa -out enc.bin > run.out 2>&1
-checkSuccess $?
+    echo "Load ${BITS} encryption key at 80000001"
+    ${PREFIX}load -hp 80000000 -pwdp sto -ipr tmpprivkey.bin -ipu tmppubkey.bin  > run.out
+    checkSuccess $?
 
-echo "Decrypt using TPM key at 80000001"
-${PREFIX}rsadecrypt -hk 80000001 -ie enc.bin -od dec.bin > run.out
-checkSuccess $?
+    echo "Encrypt using OpenSSL and the PEM public key"
+    openssl pkeyutl -encrypt -inkey tmppubkey.pem -pubin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -in policies/aaa -out enc.bin > run.out 2>&1
+    checkSuccess $?
 
-echo "Verify the decrypt result"
-diff policies/aaa dec.bin > run.out
-checkSuccess $?
+    echo "Decrypt using TPM key at 80000001"
+    ${PREFIX}rsadecrypt -hk 80000001 -ie enc.bin -od dec.bin > run.out
+    checkSuccess $?
 
-echo "Flush the encryption key"
-${PREFIX}flushcontext -ha 80000001 > run.out
-checkSuccess $?
+    echo "Verify the decrypt result"
+    diff policies/aaa dec.bin > run.out
+    checkSuccess $?
+
+    echo "Flush the encryption key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+done
 
 echo ""
 echo "Child RSA decryption key RSAES"
 echo ""
 
 echo "Create RSAES encryption key"
-${PREFIX}create -hp 80000000 -pwdp sto -dee -opr deepriv.bin -opu deepub.bin > run.out	
+${PREFIX}create -hp 80000000 -pwdp sto -dee -opr deepriv.bin -opu deepub.bin > run.out
 checkSuccess $?
 
 echo "Load encryption key at 80000001"
@@ -363,7 +371,7 @@ echo "Primary RSA decryption key RSAES"
 echo ""
 
 echo "Create Primary RSAES encryption key"
-${PREFIX}createprimary -hi p -dee -halg sha256 -opem tmppubkey.pem > run.out	
+${PREFIX}createprimary -hi p -dee -halg sha256 -opem tmppubkey.pem > run.out
 checkSuccess $?
 
 echo "RSA encrypt with the encryption key"
@@ -408,7 +416,45 @@ echo "Flush the encryption key"
 ${PREFIX}flushcontext -ha 80000001 > run.out
 checkSuccess $?
 
-# cleanup
+if   [ ${CRYPTOLIBRARY} == "openssl" ]; then
+
+    echo ""
+    echo "OpenSSL key, Encrypt with OpenSSL, decrypt with TPM"
+    echo ""
+
+    # The rsa_oaep_md:sha256 parameter is ignored for pkcs1
+
+    for BITS in 2048 3072
+    do
+
+	for SCHEME in oaep pkcs1
+	do
+
+	    echo "Encrypt using OpenSSL ${SCHEME} and the ${BITS} PEM public key"
+	    openssl pkeyutl -encrypt -inkey tmppubkey${BITS}.pem -pubin -pkeyopt rsa_padding_mode:${SCHEME} -pkeyopt rsa_oaep_md:sha256 -in policies/aaa -out enc.bin > run.out 2>&1
+	    checkSuccess $?
+
+	    echo "Loadexternal the openssl ${BITS} ${SCHEME} key pair in the NULL hierarchy 80000001"
+	    ${PREFIX}loadexternal -den -scheme rsa${SCHEME} -ider tmpkeypairrsa${BITS}.der -pwdk rrrr > run.out
+	    checkSuccess $?
+
+	    echo "Decrypt using TPM key at 80000001"
+	    ${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin > run.out
+	    checkSuccess $?
+
+	    echo "Verify the decrypt result"
+	    diff policies/aaa dec.bin > run.out
+	    checkSuccess $?
+
+	    echo "Flush the encryption key"
+	    ${PREFIX}flushcontext -ha 80000001 > run.out
+	    checkSuccess $?
+
+	done
+    done
+fi
+
+  # cleanup
 
 rm -f tmp.bin
 rm -f enc.bin
@@ -424,10 +470,12 @@ do
     rm -f tmpkeypairrsa${BITS}.pem
     rm -f tmpkeypairrsaenc${BITS}.pem
     rm -f tmpkeypairrsadec${BITS}.pem
+    rm -f tmppubkey${BITS}.bin
+    rm -f tmppubkey${BITS}.pem
 done
-rm -f tmppubkey.bin
 rm -f tmppubkey.pem
-rm -f tmpprivkey.bin 
+rm -f tmppubkey.bin
+rm -f tmpprivkey.bin
 
 # ${PREFIX}getcapability -cap 1 -pr 80000000
 # ${PREFIX}getcapability -cap 1 -pr 02000000