diff --git a/shim.changes b/shim.changes
index f67c7c4..73bacd3 100644
--- a/shim.changes
+++ b/shim.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Feb 20 10:06:47 UTC 2014 - lnussel@suse.de
+
+- always clean up generated files that embed certificates
+  (shim_cert.h shim.cer shim.crt) to make sure next build loop
+  rebuilds them properly
+
 -------------------------------------------------------------------
 Mon Feb 17 09:58:56 UTC 2014 - glin@suse.com
 
diff --git a/shim.spec b/shim.spec
index d86a770..048a094 100644
--- a/shim.spec
+++ b/shim.spec
@@ -134,6 +134,7 @@ for suffix in "${suffixes[@]}"; do
     fi
 
     openssl x509 -in $cert -outform DER -out shim-$suffix.der
+    rm -f shim_cert.h shim.cer shim.crt
     if [ -z "$cert2" ]; then
 	    # create empty local cert file, we don't need a local key pair as we
 	    # sign the mokmanager with our vendor key
@@ -141,7 +142,6 @@ for suffix in "${suffixes[@]}"; do
 	    touch shim.cer
     else
 	    cp $cert2 shim.crt
-	    rm -f shim.cer
     fi
     # make sure cast warnings don't trigger post build check
     make EFI_PATH=/usr/lib64 VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null