diff --git a/kernel.spec b/kernel.spec
index 6b414d1..2d2e533 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -11,7 +11,7 @@
 %define sublevel	11
 
 # Release number. Increase this before a rebuild.
-%define rpmrel		3
+%define rpmrel		4
 %define fullrpmrel	%{rpmrel}
 
 %define rpmtag		%{disttag}
@@ -85,7 +85,7 @@
 # Manual control of creating and deleting keys
 # "rnd" is "random" and means that a key pair is generated at build time
 # and is not saved anywhere.
-%define certs_dir_rnd %{src_dir}/certs_%{vendor}_rnd
+%define certs_dir_rnd certs
 %define certs_signing_key_rnd %{certs_dir_rnd}/signing_key.pem
 %define certs_key_config_rnd %{certs_dir_rnd}/x509.genkey
 %define certs_public_keys %{certs_dir_rnd}/public.pem
@@ -791,10 +791,10 @@ echo CONFIG_MODULE_SIG_ALL=y >> .config
 # Use SHA-512 algo
 echo CONFIG_MODULE_SIG_SHA512=y >> .config
 # Set path to the key that will be generated later by openssl
-echo CONFIG_MODULE_SIG_KEY="%{certs_signing_key_rnd}" >> .config
+echo CONFIG_MODULE_SIG_KEY=\"%{certs_signing_key_rnd}\" >> .config
 # Set path to one PEM file with all keys that the kernel must trust
 sed -i '/CONFIG_SYSTEM_TRUSTED_KEYS/d' .config
-echo CONFIG_SYSTEM_TRUSTED_KEYS="%{certs_public_keys}" >> .config
+echo CONFIG_SYSTEM_TRUSTED_KEYS=\"%{certs_public_keys}\" >> .config
 # Reserve area for inserting a certificate without recompiling
 sed -i '/CONFIG_SYSTEM_EXTRA_CERTIFICATE/d' .config
 echo CONFIG_SYSTEM_EXTRA_CERTIFICATE=y >> .config