diff --git a/rpm/kernel-binary.spec.in b/rpm/kernel-binary.spec.in
index 874a348..6794c74 100644
--- a/rpm/kernel-binary.spec.in
+++ b/rpm/kernel-binary.spec.in
@@ -449,7 +449,11 @@ fi
 %endif
 
 if [ %CONFIG_MODULE_SIG = "y" ]; then
-	test -n "%certs" || ../scripts/config --set-str CONFIG_MODULE_SIG_KEY ""
+	if [ -n "%certs" ] ; then
+		../scripts/config --set-str CONFIG_MODULE_SIG_KEY "%_sourcedir/.kernel_signing_key.pem"
+	else
+		../scripts/config --set-str CONFIG_MODULE_SIG_KEY ""
+	fi
 fi
 
 case %cpu_arch in
@@ -525,16 +529,6 @@ if test -e %my_builddir/kabi/%cpu_arch/symtypes-%build_flavor; then
     %_sourcedir/modversions --unpack . < $_
 fi
 
-# copy module signing certificate(s). We use the default path and trick
-# certs/Makefile to not regenerate the certificate. It is done this way so
-# that the kernel-source package can be rebuilt even without the certificate
-echo Signing certificates "%certs"
-if [ -f %_sourcedir/.kernel_signing_key.pem ] ; then
-    mkdir -p certs
-    touch certs/x509.genkey
-    cp "%_sourcedir/.kernel_signing_key.pem" certs/signing_key.pem
-fi
-
 %if "%CONFIG_KMSG_IDS" == "y"
     chmod +x ../scripts/kmsg-doc
     MAKE_ARGS="$MAKE_ARGS D=2"