diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh
index 8c57ff03a..ba916eafa 100755
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh
@@ -152,6 +152,18 @@ if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	DEK_BLOB_OFFSET="0x100"
 fi
 
+# Function to generate a PKI tree (with lock dir protection)
+GENPKI_LOCK_DIR="${CONFIG_SIGN_KEYS_PATH}/.genpki.lock"
+gen_pki_tree() {
+	if mkdir -p ${GENPKI_LOCK_DIR}; then
+		trustfence-gen-pki.sh ${CONFIG_SIGN_KEYS_PATH}
+		rm -rf ${GENPKI_LOCK_DIR}
+	else
+		echo "Could not get lock to generate PKI tree"
+		exit 1
+	fi
+}
+
 # Default values
 [ -z "${CONFIG_KEY_INDEX}" ] && CONFIG_KEY_INDEX="0"
 CONFIG_KEY_INDEX_1="$((CONFIG_KEY_INDEX + 1))"
@@ -170,7 +182,7 @@ if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 		echo "Using existing PKI tree"
 	elif [ "${n_commas}" -eq 0 ] || [ ! -f "${CERT_CSF}" ] || [ ! -f "${CERT_IMG}" ]; then
 		# Generate PKI
-		trustfence-gen-pki.sh "${CONFIG_SIGN_KEYS_PATH}"
+		gen_pki_tree
 
 		SRK_KEYS="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
 		CERT_CSF="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/CSF${CONFIG_KEY_INDEX_1}*crt.pem)"
@@ -185,7 +197,7 @@ elif [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then
 		echo "Using existing PKI tree"
 	elif [ "${n_commas}" -eq 0 ] && [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then
 		# Generate PKI
-		trustfence-gen-pki.sh "${CONFIG_SIGN_KEYS_PATH}"
+		gen_pki_tree
 
 		SRK_KEYS="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
 	else
diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass
index 663204290..0e430cf94 100644
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@@ -110,3 +110,25 @@ python () {
     else:
         d.setVar("TRUSTFENCE_INITRAMFS_IMAGE", "");
 }
+
+# Function to generate a PKI tree (with lock dir protection)
+GENPKI_LOCK_DIR = "${TRUSTFENCE_SIGN_KEYS_PATH}/.genpki.lock"
+gen_pki_tree() {
+	if mkdir -p ${GENPKI_LOCK_DIR}; then
+		trustfence-gen-pki.sh ${TRUSTFENCE_SIGN_KEYS_PATH}
+		rm -rf ${GENPKI_LOCK_DIR}
+	else
+		bbfatal "Could not get lock to generate PKI tree"
+	fi
+}
+
+# Function that generates a PKI tree if there isn't one
+check_gen_pki_tree() {
+	SRK_KEYS="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
+	n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)"
+	if [ "${n_commas}" -eq 0 ]; then
+		gen_pki_tree
+	elif [ "${n_commas}" -ne 3 ]; then
+		bbfatal "Inconsistent PKI tree"
+	fi
+}
diff --git a/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb b/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
index b10bc069e..03e121515 100644
--- a/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
+++ b/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
@@ -4,11 +4,7 @@ SUMMARY = "Recovery initramfs files"
 LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
 
-# When building a TrustFence enabled recovery initramfs, we need the TrustFence PKI tree to
-# be already generated in order to copy the public key. Forcing a dependence against
-# 'virtual/kernel' ensures that the keys are already generated as they are needed to sign the
-# kernel artifacts.
-DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'virtual/kernel openssl-native', '', d)}"
+DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'openssl-native trustfence-cst-native', '', d)}"
 
 SRC_URI = " \
     file://recovery-initramfs-init \
@@ -38,6 +34,8 @@ do_install() {
 	# If Trustfence is enabled, copy the public key that is going to be used into the
 	# initramfs '/etc/ssl/certs' folder in order to verify swupdate packages.
 	if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
+		# Check and generate a PKI tree if there isn't one
+		check_gen_pki_tree
 		# Retrieve the key index to use.
 		KEY_INDEX="0"
 		if [ -n "${TRUSTFENCE_KEY_INDEX}" ]; then
diff --git a/meta-digi-dey/recipes-digi/dualboot/dualboot.bb b/meta-digi-dey/recipes-digi/dualboot/dualboot.bb
index 1876504a6..374a532c7 100644
--- a/meta-digi-dey/recipes-digi/dualboot/dualboot.bb
+++ b/meta-digi-dey/recipes-digi/dualboot/dualboot.bb
@@ -5,12 +5,7 @@ SECTION = "base"
 LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
 
-
-# When building a TrustFence enabled rootfs, we need the TrustFence PKI tree to
-# be already generated in order to copy the public key. Forcing a dependency with
-# 'virtual/kernel' ensures that the keys are already generated as they are needed to sign the
-# kernel artifacts.
-DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'virtual/kernel openssl-native', '', d)}"
+DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'openssl-native trustfence-cst-native', '', d)}"
 
 SRC_URI = " \
     file://dualboot-init \
@@ -41,6 +36,8 @@ do_install() {
 	# If Trustfence is enabled, copy the public key that is going to be used into the
 	# initramfs '/etc/ssl/certs' folder in order to verify swupdate packages.
 	if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
+		# Check and generate a PKI tree if there isn't one
+		check_gen_pki_tree
 		# Retrieve the key index to use.
 		KEY_INDEX="0"
 		if [ -n "${TRUSTFENCE_KEY_INDEX}" ]; then