diff --git a/core_sign_update b/core_sign_update
index 6b55d1a0b9..20159cf255 100755
--- a/core_sign_update
+++ b/core_sign_update
@@ -18,8 +18,9 @@ export GCLIENT_ROOT=$(readlink -f "${SCRIPT_ROOT}/../../")
 DEFINE_string image "" "The filesystem image of /usr"
 DEFINE_string kernel "" "The kernel image"
 DEFINE_string output "" "Output file"
-DEFINE_string private_keys "" "Path to private key in .pem format."
-DEFINE_string public_keys "" "Path to public key in .pem format."
+DEFINE_string private_keys "" "Path or pkcs11 URI to private keys."
+DEFINE_string public_keys "" "Path to public keys in .pem format."
+DEFINE string keys_separator ":" "Separator for the above keys"
 
 # Parse command line
 FLAGS "$@" || exit 1
@@ -45,8 +46,9 @@ delta_generator \
     -new_kernel "$FLAGS_kernel" \
     -out_file update
 
-IFS=+ read -a private_keys <<< "$FLAGS_private_keys"
-IFS=+ read -a public_keys <<< "$FLAGS_public_keys"
+# The separator is configurable for backwards compatibility with old `sign.sh` scripts.
+IFS="${keys_separator}" read -a private_keys <<< "$FLAGS_private_keys"
+IFS="${keys_separator}" read -a public_keys <<< "$FLAGS_public_keys"
 
 if [ ${#private_keys[@]} -ne ${#public_keys[@]} ]; then
 	echo "mismatch in count of private keys and public keys"
diff --git a/offline_signing/sign.sh b/offline_signing/sign.sh
index 1f4a621909..ecd690a951 100755
--- a/offline_signing/sign.sh
+++ b/offline_signing/sign.sh
@@ -18,4 +18,5 @@ cd "${DATA_DIR}"
     --kernel "${DATA_DIR}/coreos_production_image.vmlinuz" \
     --output "${DATA_DIR}/coreos_production_update.gz" \
     --private_keys "${KEYS_DIR}/devel.key.pem+pkcs11:object=CoreOS_Update_Signing_Key;type=private" \
-    --public_keys  "${KEYS_DIR}/devel.pub.pem+${KEYS_DIR}/prod-2.pub.pem"
+    --public_keys  "${KEYS_DIR}/devel.pub.pem+${KEYS_DIR}/prod-2.pub.pem" \
+    --keys_separator "+"