diff --git a/shim.spec b/shim.spec
index 2c3dc11..9015251 100644
--- a/shim.spec
+++ b/shim.spec
@@ -210,10 +210,10 @@ suffixes=(opensuse sles)
 # just one shim that embeds this specific cert. If it's a devel
 # project we build all variants to simplify testing.
 if test -e %{_sourcedir}/_projectcert.crt ; then
-    prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)
-    prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
-    opensusesubject=$(openssl x509 -in %{SOURCE11} -noout -subject_hash)
-    slessubject=$(openssl x509 -in %{SOURCE12} -noout -subject_hash)
+    prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -inform PEM -noout -subject_hash)
+    prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -inform PEM -noout -issuer_hash)
+    opensusesubject=$(openssl x509 -in %{SOURCE11} -inform DER -noout -subject_hash)
+    slessubject=$(openssl x509 -in %{SOURCE12} -inform DER -noout -subject_hash)
     if test "$prjissuer" = "$opensusesubject" ; then
 	suffixes=(opensuse)
     elif test "$prjissuer" = "$slessubject" ; then
@@ -226,6 +226,7 @@ fi
 for suffix in "${suffixes[@]}"; do
     if test "$suffix" = "opensuse"; then
 	cert=%{SOURCE11}
+	cp $cert shim-$suffix.der
 	verify='openSUSE Secure Boot CA1'
 	vendor_dbx='vendor-dbx-opensuse.esl'
 %ifarch x86_64
@@ -236,6 +237,7 @@ for suffix in "${suffixes[@]}"; do
 %endif
     elif test "$suffix" = "sles"; then
 	cert=%{SOURCE12}
+	cp $cert shim-$suffix.der
 	verify='SUSE Linux Enterprise Secure Boot CA1'
 	vendor_dbx='vendor-dbx-sles.esl'
 %ifarch x86_64
@@ -250,12 +252,12 @@ for suffix in "${suffixes[@]}"; do
 	vendor_dbx='vendor-dbx.esl'
 	ms_shim=''
 	test -e "$cert" || continue
+	openssl x509 -in $cert -inform PEM -outform DER -out shim-$suffix.der
     else
 	echo "invalid suffix"
 	false
     fi
 
-    openssl x509 -in $cert -outform DER -out shim-$suffix.der
     make CC=%{cc_compiler} RELEASE=0 ENABLE_CODESIGN_EKU=1 SHIMSTEM=shim \
          VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
          DEFAULT_LOADER="\\\\\\\\grub.efi" \
@@ -408,10 +410,12 @@ local TARGET_CERT_HEXES = {
 %if "%{prjissuer_hash}" == "%{opensusesubject_hash}"
     -- Certificate #3, openSUSE Secure Boot CA 2013
     "%{opensuse_ca_hex}",
-%elif "%{prjissuer_hash}" == "%{slessubject_hash}"
+%endif
+%if "%{prjissuer_hash}" == "%{slessubject_hash}"
     -- Certificate #3, SUSE Linux Enterprise Secure Boot CA 2013
     "%{sles_ca_hex}",
-%elif "%{prjissuer_hash}" == "%{prjsubjec_hash}"
+%endif
+%if "%{prjissuer_hash}" == "%{prjsubjec_hash}"
     -- We put all keys for testing on devel/staging project
     -- Certificate #3, openSUSE Secure Boot CA 2013
     "%{opensuse_ca_hex}",