diff --git a/tools/cert_create/include/ext.h b/tools/cert_create/include/ext.h
index 3c65473b0d142457ab2785c8c487211b7fa8d2a7..0ede365181e219d85665b037a999e67b2c121dd3 100644
--- a/tools/cert_create/include/ext.h
+++ b/tools/cert_create/include/ext.h
@@ -72,6 +72,8 @@ typedef struct ext_s {
 	X509V3_EXT_METHOD method; /* This field may be used to define a custom
 				   * function to print the contents of the
 				   * extension */
+
+	int optional;	/* This field may be used optionally to exclude an image */
 } ext_t;
 
 enum {
diff --git a/tools/cert_create/include/tbbr/tbb_cert.h b/tools/cert_create/include/tbbr/tbb_cert.h
index 21626c726c4bded292ad719228259cfe085f925e..2bc3be63c6bc18a7b3cc53203bf31544571586e8 100644
--- a/tools/cert_create/include/tbbr/tbb_cert.h
+++ b/tools/cert_create/include/tbbr/tbb_cert.h
@@ -46,7 +46,8 @@ enum {
 	BL32_KEY_CERT,
 	BL32_CERT,
 	BL33_KEY_CERT,
-	BL33_CERT
+	BL33_CERT,
+	FWU_CERT
 };
 
 #endif /* TBB_CERT_H_ */
diff --git a/tools/cert_create/include/tbbr/tbb_ext.h b/tools/cert_create/include/tbbr/tbb_ext.h
index 03b12d7aed6c2c541ad8702355538e65e73192fc..ecbe8669d4542e3ded19fdda5201d1797a356177 100644
--- a/tools/cert_create/include/tbbr/tbb_ext.h
+++ b/tools/cert_create/include/tbbr/tbb_ext.h
@@ -46,7 +46,10 @@ enum {
 	BL32_CONTENT_CERT_PK_EXT,
 	BL32_HASH_EXT,
 	BL33_CONTENT_CERT_PK_EXT,
-	BL33_HASH_EXT
+	BL33_HASH_EXT,
+	SCP_BL2U_HASH_EXT,
+	BL2U_HASH_EXT,
+	NS_BL2U_HASH_EXT
 };
 
 #endif /* TBB_EXT_H_ */
diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c
index b7ad33fe36804697112ce501b1e4906057c2ae63..de15ef6fecfa14bbc7a14814f5fb5f394ce7bf6a 100644
--- a/tools/cert_create/src/main.c
+++ b/tools/cert_create/src/main.c
@@ -217,8 +217,11 @@ static void check_cmd_params(void)
 				}
 				break;
 			case EXT_TYPE_HASH:
-				/* Binary image must be specified */
-				if (ext->data.fn == NULL) {
+				/*
+				 * Binary image must be specified
+				 * unless it is explicitly made optional.
+				 */
+				if ((!ext->optional) && (ext->data.fn == NULL)) {
 					ERROR("Image for '%s' not specified\n",
 					      ext->ln);
 					exit(1);
@@ -410,12 +413,20 @@ int main(int argc, char *argv[])
 				break;
 			case EXT_TYPE_HASH:
 				if (ext->data.fn == NULL) {
-					break;
-				}
-				if (!sha_file(ext->data.fn, md)) {
-					ERROR("Cannot calculate hash of %s\n",
-						ext->data.fn);
-					exit(1);
+					if (ext->optional) {
+						/* Include a hash filled with zeros */
+						memset(md, 0x0, SHA256_DIGEST_LENGTH);
+					} else {
+						/* Do not include this hash in the certificate */
+						break;
+					}
+				} else {
+					/* Calculate the hash of the file */
+					if (!sha_file(ext->data.fn, md)) {
+						ERROR("Cannot calculate hash of %s\n",
+							ext->data.fn);
+						exit(1);
+					}
 				}
 				CHECK_NULL(cert_ext, ext_new_hash(ext_nid,
 						EXT_CRIT, md_info, md,
diff --git a/tools/cert_create/src/tbbr/tbb_cert.c b/tools/cert_create/src/tbbr/tbb_cert.c
index 770bd6a0aac4a38ce5c02c64bc838741a2f2b49f..59a1cd9c7d5a58577f24d886a2f3b3d1a555e47c 100644
--- a/tools/cert_create/src/tbbr/tbb_cert.c
+++ b/tools/cert_create/src/tbbr/tbb_cert.c
@@ -160,6 +160,20 @@ static cert_t tbb_certs[] = {
 			BL33_HASH_EXT
 		},
 		.num_ext = 1
+	},
+	[FWU_CERT] = {
+		.id = FWU_CERT,
+		.opt = "fwu-cert",
+		.fn = NULL,
+		.cn = "FWU Certificate",
+		.key = ROT_KEY,
+		.issuer = FWU_CERT,
+		.ext = {
+			SCP_BL2U_HASH_EXT,
+			BL2U_HASH_EXT,
+			NS_BL2U_HASH_EXT
+		},
+		.num_ext = 3
 	}
 };
 
diff --git a/tools/cert_create/src/tbbr/tbb_ext.c b/tools/cert_create/src/tbbr/tbb_ext.c
index c39c9e6a41749ad047bcb0e3cb6ad94b1ad8053e..b0af6f1a5e90a5c116b22abddfeb3e51845bc818 100644
--- a/tools/cert_create/src/tbbr/tbb_ext.c
+++ b/tools/cert_create/src/tbbr/tbb_ext.c
@@ -145,6 +145,33 @@ static ext_t tbb_ext[] = {
 		.ln = "Non-Trusted World (BL33) hash (SHA256)",
 		.asn1_type = V_ASN1_OCTET_STRING,
 		.type = EXT_TYPE_HASH
+	},
+	[SCP_BL2U_HASH_EXT] = {
+		.oid = SCP_BL2U_HASH_OID,
+		.opt = "scp_bl2u",
+		.sn = "SCPFWUpdateConfig",
+		.ln = "SCP Firmware Update Config (SCP_BL2U) hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[BL2U_HASH_EXT] = {
+		.oid = BL2U_HASH_OID,
+		.opt = "bl2u",
+		.sn = "APFWUpdateConfig",
+		.ln = "AP Firmware Update Config (BL2U) hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
+	},
+	[NS_BL2U_HASH_EXT] = {
+		.oid = NS_BL2U_HASH_OID,
+		.opt = "ns_bl2u",
+		.sn = "FWUpdaterHash",
+		.ln = "Firmware Updater (NS_BL2U) hash (SHA256)",
+		.asn1_type = V_ASN1_OCTET_STRING,
+		.type = EXT_TYPE_HASH,
+		.optional = 1
 	}
 };