diff --git a/configure.ac b/configure.ac
index a8378cef8a..3ddf1fd34a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -842,6 +842,7 @@ AC_OUTPUT([doc/version.ent
            src/lib/cc/session_config.h.pre
            src/lib/cc/tests/session_unittests_config.h
            src/lib/log/tests/run_time_init_test.sh
+           src/lib/server_common/tests/data_path.h
            tests/system/conf.sh
            tests/system/glue/setup.sh
            tests/system/glue/nsx1/b10-config.db
diff --git a/src/lib/server_common/keyring.cc b/src/lib/server_common/keyring.cc
index 55e5229dda..d953fabbd5 100644
--- a/src/lib/server_common/keyring.cc
+++ b/src/lib/server_common/keyring.cc
@@ -13,3 +13,23 @@
 // PERFORMANCE OF THIS SOFTWARE.
 
 #include <server_common/keyring.h>
+
+namespace isc {
+namespace server_common {
+
+boost::shared_ptr<dns::TSIGKeyRing> keyring;
+
+void
+initKeyring(config::ModuleCCSession& session) {
+    // TODO
+    (void) session;
+}
+
+void
+deinitKeyring(config::ModuleCCSession& session) {
+    // TODO
+    (void) session;
+}
+
+}
+}
diff --git a/src/lib/server_common/keyring.h b/src/lib/server_common/keyring.h
index 989ca7bb6c..6f80e88019 100644
--- a/src/lib/server_common/keyring.h
+++ b/src/lib/server_common/keyring.h
@@ -49,7 +49,7 @@ namespace server_common {
  * but you need to call initKeyring first, otherwise you'll find a NULL pointer
  * here only.
  */
-boost::shared_ptr<dns::TSIGKeyRing> keyring;
+extern boost::shared_ptr<dns::TSIGKeyRing> keyring;
 
 /**
  * \brief Load the key ring for the first time
@@ -65,7 +65,8 @@ boost::shared_ptr<dns::TSIGKeyRing> keyring;
  *
  * \param session The configuration session used to talk to the config manager.
  */
-void initKeyring(config::ModuleCCSession& session);
+void
+initKeyring(config::ModuleCCSession& session);
 
 /**
  * \brief Unload the key ring
@@ -82,7 +83,8 @@ void initKeyring(config::ModuleCCSession& session);
  *
  * \param session The configuration session used to talk to the config manager.
  */
-void deinitKeyring(config::ModuleCCSession& session);
+void
+deinitKeyring(config::ModuleCCSession& session);
 
 }
 }
diff --git a/src/lib/server_common/tests/Makefile.am b/src/lib/server_common/tests/Makefile.am
index a04a884312..e711002b1a 100644
--- a/src/lib/server_common/tests/Makefile.am
+++ b/src/lib/server_common/tests/Makefile.am
@@ -27,6 +27,8 @@ if HAVE_GTEST
 TESTS += run_unittests
 run_unittests_SOURCES  = run_unittests.cc
 run_unittests_SOURCES += portconfig_unittest.cc
+run_unittests_SOURCES += keyring_test.cc
+run_unittests_SOURCES += data_path.h
 
 run_unittests_CPPFLAGS = $(AM_CPPFLAGS) $(GTEST_INCLUDES)
 run_unittests_LDFLAGS = $(AM_LDFLAGS) $(GTEST_LDFLAGS)
@@ -38,6 +40,8 @@ run_unittests_LDADD += $(top_builddir)/src/lib/asiolink/libasiolink.la
 run_unittests_LDADD += $(top_builddir)/src/lib/asiodns/libasiodns.la
 run_unittests_LDADD += $(top_builddir)/src/lib/cc/libcc.la
 run_unittests_LDADD += $(top_builddir)/src/lib/dns/libdns++.la
+run_unittests_LDADD += $(top_builddir)/src/lib/config/libcfgclient.la
+run_unittests_LDADD += $(top_builddir)/src/lib/config/tests/libfake_session.la
 endif
 
 noinst_PROGRAMS = $(TESTS)
diff --git a/src/lib/server_common/tests/data_path.h.in b/src/lib/server_common/tests/data_path.h.in
new file mode 100644
index 0000000000..8ac0380bac
--- /dev/null
+++ b/src/lib/server_common/tests/data_path.h.in
@@ -0,0 +1,16 @@
+// Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")   
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+// REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+// AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+// INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+// LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+// OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+// PERFORMANCE OF THIS SOFTWARE.
+
+#define TEST_DATA_PATH "@abs_srcdir@/testdata"
+#define PLUGIN_DATA_PATH "@top_srcdir@/src/bin/cfgmgr/plugins"
diff --git a/src/lib/server_common/tests/keyring_test.cc b/src/lib/server_common/tests/keyring_test.cc
new file mode 100644
index 0000000000..075b659e2f
--- /dev/null
+++ b/src/lib/server_common/tests/keyring_test.cc
@@ -0,0 +1,131 @@
+// Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+// REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+// AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+// INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+// LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+// OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+// PERFORMANCE OF THIS SOFTWARE.
+
+#include <server_common/keyring.h>
+#include <server_common/tests/data_path.h>
+
+#include <config/tests/fake_session.h>
+#include <config/ccsession.h>
+#include <dns/name.h>
+
+#include <gtest/gtest.h>
+#include <memory>
+#include <string>
+
+using namespace isc::data;
+using namespace isc::config;
+using namespace isc::server_common;
+using namespace isc::dns;
+
+namespace {
+
+class KeyringTest : public ::testing::Test {
+public:
+    KeyringTest() :
+        session(ElementPtr(new ListElement), ElementPtr(new ListElement),
+                ElementPtr(new ListElement)),
+        specfile(std::string(TEST_DATA_PATH) + "/spec.spec")
+    {
+        session.getMessages()->add(createAnswer());
+        mccs.reset(new ModuleCCSession(specfile, session, NULL, NULL));
+    }
+    isc::cc::FakeSession session;
+    std::auto_ptr<ModuleCCSession> mccs;
+    std::string specfile;
+    void doInit() {
+        // Prepare the module specification for it and the config
+        session.getMessages()->
+            add(createAnswer(0,
+                             moduleSpecFromFile(std::string(PLUGIN_DATA_PATH) +
+                                                "/tsig_keys.spec").
+                             getFullSpec()));
+        session.getMessages()->add(createAnswer(0, Element::fromJSON(
+            "{\"keys\": [\"key:MTIzNAo=:sha1\"]}")));
+        // Now load it
+        EXPECT_NO_THROW(initKeyring(*mccs));
+        EXPECT_NE(keyring, boost::shared_ptr<TSIGKeyRing>()) <<
+            "No keyring even after init";
+    }
+};
+
+// Test usual use - init, using the keyring, update, deinit
+TEST_F(KeyringTest, keyring) {
+    // First, initialize it
+    {
+        SCOPED_TRACE("Init");
+        doInit();
+
+        // Make sure it contains the correct key
+        TSIGKeyRing::FindResult result(keyring->find(Name("key"),
+                                                     TSIGKey::HMACSHA1_NAME()));
+        EXPECT_EQ(TSIGKeyRing::SUCCESS, result.code);
+    }
+
+    {
+        SCOPED_TRACE("Update");
+        session.getMessages()->add(createCommand("config_update",
+                                                 Element::fromJSON(
+            "{\"keys\": [\"another:MTIzNAo=:sha256\"]}")));
+        mccs->checkCommand();
+
+        // Make sure it no longer contains the original key
+        TSIGKeyRing::FindResult result(keyring->find(Name("key"),
+                                                     TSIGKey::HMACSHA1_NAME()));
+        EXPECT_EQ(TSIGKeyRing::NOTFOUND, result.code);
+        // but it does contain the new one
+        TSIGKeyRing::FindResult result2 = keyring->find(Name("another"),
+            TSIGKey::HMACSHA256_NAME());
+        EXPECT_EQ(TSIGKeyRing::SUCCESS, result2.code);
+    }
+
+    {
+        SCOPED_TRACE("Deinit");
+        deinitKeyring(*mccs);
+        EXPECT_EQ(keyring, boost::shared_ptr<TSIGKeyRing>()) <<
+            "The keyring didn't disappear";
+    }
+}
+
+// Init twice
+TEST_F(KeyringTest, initTwice) {
+    // It is NULL before
+    EXPECT_EQ(keyring, boost::shared_ptr<TSIGKeyRing>()) <<
+        "Someone forgot to deinit it before";
+    {
+        SCOPED_TRACE("First init");
+        doInit();
+    }
+    boost::shared_ptr<TSIGKeyRing> backup(keyring);
+    {
+        SCOPED_TRACE("Second init");
+        EXPECT_NO_THROW(initKeyring(*mccs)) <<
+            "It not only does something when it is already initialized, "
+            "it even throws at it";
+    }
+    EXPECT_EQ(backup, keyring) << "The second init replaced the data";
+}
+
+// deinit when not initialized
+TEST_F(KeyringTest, extraDeinit) {
+    // It is NULL before
+    EXPECT_EQ(keyring, boost::shared_ptr<TSIGKeyRing>()) <<
+        "Someone forgot to deinit it before";
+    // Check that it doesn't get confused when we do not have it initialized
+    EXPECT_NO_THROW(deinitKeyring(*mccs));
+    // It is still NULL
+    EXPECT_EQ(keyring, boost::shared_ptr<TSIGKeyRing>()) <<
+        "Where did it get something after deinit?";
+}
+
+}
diff --git a/src/lib/server_common/tests/testdata/spec.spec b/src/lib/server_common/tests/testdata/spec.spec
new file mode 100644
index 0000000000..3e0a8226b0
--- /dev/null
+++ b/src/lib/server_common/tests/testdata/spec.spec
@@ -0,0 +1,6 @@
+{
+    "module_spec": {
+        "module_name": "test"
+    }
+}
+