diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_%.bbappend b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_%.bbappend
index c2c4762dd..e70fb808a 100644
--- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_%.bbappend
+++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_%.bbappend
@@ -18,7 +18,7 @@ TF_A_CONFIG = "${DEY_TF_A_CONFIG}"
 TF_A_CONFIG[nand]   = "${DEVICE_BOARD_ENABLE:NAND},STM32MP_RAW_NAND=1 ${@'STM32MP_FORCE_MTD_START_OFFSET=${TF_A_MTD_START_OFFSET_NAND}' if ${TF_A_MTD_START_OFFSET_NAND} else ''} STM32MP_USB_PROGRAMMER=1"
 
 DEPENDS += " \
-    ${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native trustfence-genpki-native', '', d)} \
+    ${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)} \
 "
 
 # This dependency is required so that the PKI generation completes before
@@ -29,6 +29,15 @@ do_install[depends] = " \
     openssl-native:do_populate_sysroot \
 "
 
+# Generate PKI tree if it doesn't exist.
+# This is an append to do_compile because in this recipe, the do_deploy
+# task comes right after do_compile, and the keys must be ready before that.
+do_compile:append() {
+	if ${@oe.utils.conditional('TRUSTFENCE_SIGN','1','true','false',d)}; then
+		check_gen_pki_tree
+	fi
+}
+
 # Obtain password to use in FIP generation
 # Get password from file using the given key index
 do_deploy[prefuncs] += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'set_fip_sign_key', '', d)}"
diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-genpki-native.bb b/meta-digi-arm/recipes-digi/trustfence/trustfence-genpki-native.bb
deleted file mode 100644
index b1167f55c..000000000
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-genpki-native.bb
+++ /dev/null
@@ -1,62 +0,0 @@
-# Copyright (C) 2023, Digi International Inc.
-
-SUMMARY = "TrustFence generation of Public Key Infrastructure (PKI)"
-LICENSE = "GPL-2.0-only"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
-
-inherit native
-
-RDEPENDS:${PN} = " \
-    trustfence-sign-tools-native \
-    openssl-native \
-"
-
-S = "${WORKDIR}"
-
-do_fetch[noexec] = "1"
-do_configure[noexec] = "1"
-do_compile[noexec] = "1"
-
-# Function to generate a PKI tree (with lock dir protection)
-GENPKI_LOCK_DIR = "${TRUSTFENCE_SIGN_KEYS_PATH}/.genpki.lock"
-gen_pki_tree() {
-	if mkdir -p ${GENPKI_LOCK_DIR}; then
-		if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
-			trustfence-gen-pki.sh ${TRUSTFENCE_SIGN_KEYS_PATH}
-		elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
-			# Call sign script with no artifact arguments to just
-			# generate the keys
-			export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
-			export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
-			trustfence-sign-artifact.sh -p ${DIGI_SOM}
-		fi
-		rm -rf ${GENPKI_LOCK_DIR}
-	else
-		bbfatal "Could not get lock to generate PKI tree"
-	fi
-}
-
-# Function that generates a PKI tree if there isn't one
-check_gen_pki_tree() {
-	if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
-		SRK_KEYS="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
-		n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)"
-		if [ "${n_commas}" -eq 0 ]; then
-			gen_pki_tree
-		elif [ "${n_commas}" -ne 3 ]; then
-			bbfatal "Inconsistent PKI tree"
-		fi
-	elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
-		# The script that generates the PKI tree already checks if
-		# there isn't one, so there's nothing to do here but calling it.
-		gen_pki_tree
-	fi
-}
-
-do_install[depends] = "trustfence-sign-tools-native:do_populate_sysroot \
-			openssl-native:do_populate_sysroot"
-do_install() {
-	check_gen_pki_tree
-}
-
-FILES:${PN} = "${bindir}"
diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools.inc b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools.inc
index 39342d489..084fd4d3f 100644
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools.inc
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools.inc
@@ -18,6 +18,7 @@ SRC_URI = " \
     ${UBOOT_GIT_URI};branch=${SRCBRANCH} \
     file://trustfence-sign-artifact-nxp.sh \
     file://trustfence-sign-artifact-stm.sh \
+    file://trustfence-gen-pki-stm.sh \
     file://sign_hab;name=artifact-hab-sign \
     file://encrypt_hab;name=artifact-hab-encrypt \
     file://sign_ahab;name=artifact-ahab-sign \
@@ -57,6 +58,7 @@ do_install() {
 	elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
 		install -d ${D}${bindir}
 		install -m 0755 trustfence-sign-artifact-stm.sh ${D}${bindir}/trustfence-sign-artifact.sh
+		install -m 0755 trustfence-gen-pki-stm.sh ${D}${bindir}/trustfence-gen-pki.sh
 	fi
 }
 
diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh
new file mode 100755
index 000000000..fed978035
--- /dev/null
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh
@@ -0,0 +1,85 @@
+#!/bin/sh
+#===============================================================================
+#
+#  trustfence-gen-pki-stm.sh
+#
+#  Copyright (C) 2023 by Digi International Inc.
+#  All rights reserved.
+#
+#  This program is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU General Public License version 2 as published by
+#  the Free Software Foundation.
+#
+#
+#  Description:
+#    Script for generating PKI tree using STM tools
+#
+#===============================================================================
+
+# Avoid parallel execution of this script
+SINGLE_PROCESS_LOCK="/tmp/gen_pki_script.lock.d"
+trap 'rm -rf "${SINGLE_PROCESS_LOCK}"' INT TERM EXIT
+while ! mkdir "${SINGLE_PROCESS_LOCK}" > /dev/null 2>&1; do
+	sleep 1
+done
+
+SCRIPT_NAME="$(basename "${0}")"
+SUPPORTED_PLATFORMS="ccmp15, ccmp13"
+
+while getopts "p:" c; do
+	case "${c}" in
+		p) PLATFORM="${OPTARG}";;
+	esac
+done
+shift "$((OPTIND - 1))"
+
+usage() {
+	cat <<EOF
+
+Usage: ${SCRIPT_NAME} <OPTIONS>
+
+ Options:
+    -p <platform>    platform
+
+Supported platforms: ${SUPPORTED_PLATFORMS}
+
+EOF
+}
+
+if [ -z "${CONFIG_SIGN_KEYS_PATH}" ]; then
+	echo "Undefined CONFIG_SIGN_KEYS_PATH";
+	exit 1
+fi
+[ -d "${CONFIG_SIGN_KEYS_PATH}" ] || mkdir "${CONFIG_SIGN_KEYS_PATH}"
+
+# Default values
+KEY_PASS_FILE="${CONFIG_SIGN_KEYS_PATH}/keys/key_pass.txt"
+
+# Generate random keys if they don't exist
+N_PUBK="$(ls -l "${CONFIG_SIGN_KEYS_PATH}"/keys/publicKey0* 2>/dev/null | wc -l)"
+N_PRVK="$(ls -l "${CONFIG_SIGN_KEYS_PATH}"/keys/privateKey0* 2>/dev/null | wc -l)"
+if [ "${PLATFORM}" = "ccmp15" ]; then
+	if [ "${N_PUBK}" != "1" ] && [ "${N_PRVK}" != 1 ] && [ ! -f "${KEY_PASS_FILE}" ]; then
+		install -d "${CONFIG_SIGN_KEYS_PATH}/keys/"
+		# Random password
+		password="$(openssl rand -base64 32)"
+		echo "Generating random key"
+		STM32MP_KeyGen_CLI -abs "${CONFIG_SIGN_KEYS_PATH}/keys/" -pwd "${password}" -n 1
+		echo "${password}" > "${KEY_PASS_FILE}"
+	fi
+elif [ "${PLATFORM}" = "ccmp13" ]; then
+	if [ "${N_PUBK}" != "8" ] && [ "${N_PRVK}" != 8 ] && [ ! -f "${KEY_PASS_FILE}" ]; then
+		install -d "${CONFIG_SIGN_KEYS_PATH}/keys/"
+		# 8 random passwords (separated by whitespaces)
+		passwords="$(openssl rand -base64 32)"
+		for i in $(seq 1 7); do
+			passwords="${passwords} $(openssl rand -base64 32)"
+		done
+		echo "Generating random keys"
+		STM32MP_KeyGen_CLI -abs "${CONFIG_SIGN_KEYS_PATH}/keys/" -pwd "${passwords}" -n 8
+		echo "${passwords}" > "${KEY_PASS_FILE}"
+	fi
+else
+	echo "Undefined platform"
+	exit 1
+fi
diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-stm.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-stm.sh
index ddf2d1c86..35fd33728 100755
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-stm.sh
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-stm.sh
@@ -47,59 +47,36 @@ Usage: ${SCRIPT_NAME} <OPTIONS> [<input-unsigned-image> <output-signed-image>]
 
 Supported platforms: ${SUPPORTED_PLATFORMS}
 
-When called without filename parameters, it generates random keys if they
-do not exist.
-
 EOF
 }
 
+if [ "${#}" != "2" ]; then
+	usage
+	exit 1
+fi
+
 if [ -z "${CONFIG_SIGN_KEYS_PATH}" ]; then
 	echo "Undefined CONFIG_SIGN_KEYS_PATH";
 	exit 1
 fi
-[ -d "${CONFIG_SIGN_KEYS_PATH}" ] || mkdir "${CONFIG_SIGN_KEYS_PATH}"
 
 # Default values
 [ -z "${CONFIG_KEY_INDEX}" ] && CONFIG_KEY_INDEX="0"
 KEY_PASS_FILE="${CONFIG_SIGN_KEYS_PATH}/keys/key_pass.txt"
 
 # Generate random keys if they don't exist
-if [ "${PLATFORM}" = "ccmp15" ]; then
-	PUBLIC_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/publicKey00.pem"
-	PRIVATE_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/privateKey00.pem"
-	if [ ! -f "${PRIVATE_KEY}" ] && [ ! -f "${PUBLIC_KEY}" ] && [ ! -f "${KEY_PASS_FILE}" ]; then
-		install -d "${CONFIG_SIGN_KEYS_PATH}/keys/"
-		# Random password
-		password="$(openssl rand -base64 32)"
-		echo "Generating random key"
-		STM32MP_KeyGen_CLI -abs "${CONFIG_SIGN_KEYS_PATH}/keys/" -pwd ${password} -n 1
-		echo "${password}" > "${KEY_PASS_FILE}"
-	fi
-elif [ "${PLATFORM}" = "ccmp13" ]; then
-	N_PUBK="$(ls -l ${CONFIG_SIGN_KEYS_PATH}/keys/publicKey0* 2>/dev/null | wc -l)"
-	N_PRVK="$(ls -l ${CONFIG_SIGN_KEYS_PATH}/keys/privateKey0* 2>/dev/null | wc -l)"
-	PUBLIC_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/publicKey0*.pem"
-	PRIVATE_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/privateKey0${CONFIG_KEY_INDEX}.pem"
-	if [ "${N_PUBK}" != "8" ] && [ "${N_PRVK}" != 8 ] && [ ! -f "${KEY_PASS_FILE}" ]; then
-		install -d "${CONFIG_SIGN_KEYS_PATH}/keys/"
-		# 8 random passwords (separated by whitespaces)
-		passwords="$(openssl rand -base64 32)"
-		for i in $(seq 1 7); do
-			passwords="${passwords} $(openssl rand -base64 32)"
-		done
-		echo "Generating random keys"
-		STM32MP_KeyGen_CLI -abs "${CONFIG_SIGN_KEYS_PATH}/keys/" -pwd ${passwords} -n 8
-		echo "${passwords}" > "${KEY_PASS_FILE}"
-	fi
-else
-	echo "Undefined platform"
+if ! trustfence-gen-pki.sh -p ${PLATFORM}; then
 	exit 1
 fi
 
-if [ "${#}" = "0" ]; then
-	exit 0
-elif [ "${#}" != "2" ]; then
-	usage
+if [ "${PLATFORM}" = "ccmp15" ]; then
+	PUBLIC_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/publicKey00.pem"
+	PRIVATE_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/privateKey00.pem"
+elif [ "${PLATFORM}" = "ccmp13" ]; then
+	PUBLIC_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/publicKey0*.pem"
+	PRIVATE_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/privateKey0${CONFIG_KEY_INDEX}.pem"
+else
+	echo "Undefined platform"
 	exit 1
 fi
 
diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass
index 202ddcd28..6ea35e306 100644
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@@ -36,6 +36,39 @@ TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-onl
 
 IMAGE_FEATURES += "dey-trustfence"
 
+# Function to generate a PKI tree (with lock dir protection)
+GENPKI_LOCK_DIR = "${TRUSTFENCE_SIGN_KEYS_PATH}/.genpki.lock"
+gen_pki_tree() {
+	if mkdir -p ${GENPKI_LOCK_DIR}; then
+		if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
+			trustfence-gen-pki.sh ${TRUSTFENCE_SIGN_KEYS_PATH}
+		elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
+			export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
+			trustfence-gen-pki.sh -p ${DIGI_SOM}
+		fi
+		rm -rf ${GENPKI_LOCK_DIR}
+	else
+		bbfatal "Could not get lock to generate PKI tree"
+	fi
+}
+
+# Function that generates a PKI tree if there isn't one
+check_gen_pki_tree() {
+	if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
+		SRK_KEYS="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
+		n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)"
+		if [ "${n_commas}" -eq 0 ]; then
+			gen_pki_tree
+		elif [ "${n_commas}" -ne 3 ]; then
+			bbfatal "Inconsistent PKI tree"
+		fi
+	elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
+		# The script that generates the PKI tree already checks if
+		# there isn't one, so there's nothing to do here but calling it.
+		gen_pki_tree
+	fi
+}
+
 python () {
     import binascii
     import hashlib