diff --git a/makefiles/suit.base.inc.mk b/makefiles/suit.base.inc.mk
index 8109b5e436..77fd304b21 100644
--- a/makefiles/suit.base.inc.mk
+++ b/makefiles/suit.base.inc.mk
@@ -6,10 +6,14 @@ SUIT_TOOL ?= $(RIOTBASE)/dist/tools/suit/suit-manifest-generator/bin/suit-tool
 # SUIT encryption keys
 #
 
-# Specify key to use.
+# Specify key(s) to use.
 # Will use $(SUIT_KEY_DIR)/$(SUIT_KEY).pem as combined private/public key
 # files.
+# Multiple keys can be specified, that means that the firmware will accept
+# updates signed with either one of those keys.
+# If the firmware accepts multiple keys, let the first key be the signing key.
 SUIT_KEY ?= default
+SUIT_KEY_SIGN ?= $(word 1, $(SUIT_KEY))
 XDG_DATA_HOME ?= $(HOME)/.local/share
 
 ifeq (1, $(RIOT_CI_BUILD))
@@ -20,6 +24,8 @@ endif
 
 # we may accept multiple keys for the firmware
 SUIT_SEC ?= $(foreach item,$(SUIT_KEY),$(SUIT_KEY_DIR)/$(item).pem)
+# but there can only be one signing key
+SUIT_SEC_SIGN ?= $(SUIT_KEY_DIR)/$(SUIT_KEY_SIGN).pem
 
 # generate a list of the public keys
 SUIT_PUBS ?= $(SUIT_SEC:.pem=.pem.pub)
diff --git a/makefiles/suit.inc.mk b/makefiles/suit.inc.mk
index b06e0b9fbd..9d59290c6b 100644
--- a/makefiles/suit.inc.mk
+++ b/makefiles/suit.inc.mk
@@ -32,6 +32,10 @@ SUIT_MANIFEST_SIGNED_LATEST ?= $(BINDIR_SUIT)/$(SUIT_MANIFEST_BASENAME).latest.b
 SUIT_NOTIFY_VERSION ?= latest
 SUIT_NOTIFY_MANIFEST ?= $(SUIT_MANIFEST_BASENAME).$(SUIT_NOTIFY_VERSION).bin
 
+ifneq (,$(SUIT_SEC_PASSWORD))
+  SUIT_TOOL_ARGS += -p $(SUIT_SEC_PASSWORD)
+endif
+
 # Long manifest names require more buffer space when parsing
 export CFLAGS += -DCONFIG_SOCK_URLPATH_MAXLEN=128
 export CFLAGS += -DSUIT_VENDOR_DOMAIN="\"$(SUIT_VENDOR)\""
@@ -54,7 +58,7 @@ $(SUIT_MANIFEST): $(SUIT_MANIFEST_PAYLOADS) $(BINDIR_SUIT)
 	$(Q)rm -f $@.tmp
 
 $(SUIT_MANIFEST_SIGNED): $(SUIT_MANIFEST) $(SUIT_SEC)
-	$(Q)$(SUIT_TOOL) sign $(SUIT_TOOL_ARGS) -k $(SUIT_SEC) -m $(SUIT_MANIFEST) -o $@
+	$(Q)$(SUIT_TOOL) sign $(SUIT_TOOL_ARGS) -k $(SUIT_SEC_SIGN) -m $(SUIT_MANIFEST) -o $@
 
 $(SUIT_MANIFEST_LATEST): $(SUIT_MANIFEST)
 	$(Q)ln -f -s $< $@