diff --git a/tools/cert_create/include/ext.h b/tools/cert_create/include/ext.h
index d73f573..57bb65f 100644
--- a/tools/cert_create/include/ext.h
+++ b/tools/cert_create/include/ext.h
@@ -63,7 +63,8 @@
 };
 
 int ext_init(ext_t *tbb_ext);
-X509_EXTENSION *ext_new_hash(int nid, int crit, unsigned char *buf, size_t len);
+X509_EXTENSION *ext_new_hash(int nid, int crit, const EVP_MD *md,
+		unsigned char *buf, size_t len);
 X509_EXTENSION *ext_new_nvcounter(int nid, int crit, int value);
 X509_EXTENSION *ext_new_key(int nid, int crit, EVP_PKEY *k);
 
diff --git a/tools/cert_create/src/ext.c b/tools/cert_create/src/ext.c
index 31f84a8..21b90db 100644
--- a/tools/cert_create/src/ext.c
+++ b/tools/cert_create/src/ext.c
@@ -31,13 +31,29 @@
 #include <stddef.h>
 #include <stdio.h>
 #include <string.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
 #include <openssl/err.h>
 #include <openssl/x509v3.h>
 #include "ext.h"
 
 DECLARE_ASN1_ITEM(ASN1_INTEGER)
+DECLARE_ASN1_ITEM(X509_ALGOR)
 DECLARE_ASN1_ITEM(ASN1_OCTET_STRING)
 
+typedef struct {
+	X509_ALGOR *hashAlgorithm;
+	ASN1_OCTET_STRING *dataHash;
+} HASH;
+
+ASN1_SEQUENCE(HASH) = {
+	ASN1_SIMPLE(HASH, hashAlgorithm, X509_ALGOR),
+	ASN1_SIMPLE(HASH, dataHash, ASN1_OCTET_STRING),
+} ASN1_SEQUENCE_END(HASH)
+
+DECLARE_ASN1_FUNCTIONS(HASH)
+IMPLEMENT_ASN1_FUNCTIONS(HASH)
+
 /*
  * This function adds the TBB extensions to the internal extension list
  * maintained by OpenSSL so they can be used later.
@@ -123,37 +139,85 @@
 }
 
 /*
- * Creates a x509v3 extension containing a hash encapsulated in an ASN1 Octet
- * String
+ * Creates a x509v3 extension containing a hash
+ *
+ * DigestInfo ::= SEQUENCE {
+ *     digestAlgorithm  AlgorithmIdentifier,
+ *     digest           OCTET STRING
+ * }
+ *
+ * AlgorithmIdentifier ::=  SEQUENCE  {
+ *     algorithm        OBJECT IDENTIFIER,
+ *     parameters       ANY DEFINED BY algorithm OPTIONAL
+ * }
  *
  * Parameters:
- *   pex: OpenSSL extension pointer (output parameter)
  *   nid: extension identifier
  *   crit: extension critical (EXT_NON_CRIT, EXT_CRIT)
+ *   md: hash algorithm
  *   buf: pointer to the buffer that contains the hash
  *   len: size of the hash in bytes
  *
  * Return: Extension address, NULL if error
  */
-X509_EXTENSION *ext_new_hash(int nid, int crit, unsigned char *buf, size_t len)
+X509_EXTENSION *ext_new_hash(int nid, int crit, const EVP_MD *md,
+		unsigned char *buf, size_t len)
 {
 	X509_EXTENSION *ex = NULL;
-	ASN1_OCTET_STRING *hash = NULL;
+	ASN1_OCTET_STRING *octet = NULL;
+	HASH *hash = NULL;
+	ASN1_OBJECT *algorithm = NULL;
+	X509_ALGOR *x509_algor = NULL;
 	unsigned char *p = NULL;
 	int sz = -1;
 
-	/* Encode Hash */
-	hash = ASN1_OCTET_STRING_new();
-	ASN1_OCTET_STRING_set(hash, buf, len);
-	sz = i2d_ASN1_OCTET_STRING(hash, NULL);
-	i2d_ASN1_OCTET_STRING(hash, &p);
+	/* OBJECT_IDENTIFIER with hash algorithm */
+	algorithm = OBJ_nid2obj(md->type);
+	if (algorithm == NULL) {
+		return NULL;
+	}
+
+	/* Create X509_ALGOR */
+	x509_algor = X509_ALGOR_new();
+	if (x509_algor == NULL) {
+		return NULL;
+	}
+	x509_algor->algorithm = algorithm;
+	x509_algor->parameter = ASN1_TYPE_new();
+	ASN1_TYPE_set(x509_algor->parameter, V_ASN1_NULL, NULL);
+
+	/* OCTET_STRING with the actual hash */
+	octet = ASN1_OCTET_STRING_new();
+	if (octet == NULL) {
+		X509_ALGOR_free(x509_algor);
+		return NULL;
+	}
+	ASN1_OCTET_STRING_set(octet, buf, len);
+
+	/* HASH structure containing algorithm + hash */
+	hash = HASH_new();
+	if (hash == NULL) {
+		ASN1_OCTET_STRING_free(octet);
+		X509_ALGOR_free(x509_algor);
+		return NULL;
+	}
+	hash->hashAlgorithm = x509_algor;
+	hash->dataHash = octet;
+
+	/* DER encoded HASH */
+	sz = i2d_HASH(hash, &p);
+	if ((sz <= 0) || (p == NULL)) {
+		HASH_free(hash);
+		X509_ALGOR_free(x509_algor);
+		return NULL;
+	}
 
 	/* Create the extension */
 	ex = ext_new(nid, crit, p, sz);
 
 	/* Clean up */
 	OPENSSL_free(p);
-	ASN1_OCTET_STRING_free(hash);
+	HASH_free(hash);
 
 	return ex;
 }
diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c
index 6df367a..2af5247 100644
--- a/tools/cert_create/src/main.c
+++ b/tools/cert_create/src/main.c
@@ -277,6 +277,7 @@
 	int i, tz_nvctr_nid, ntz_nvctr_nid, hash_nid, pk_nid;
 	int c, opt_idx = 0;
 	unsigned char md[SHA256_DIGEST_LENGTH];
+	const EVP_MD *md_info;
 
 	NOTICE("CoT Generation Tool: %s\n", build_msg);
 	NOTICE("Target platform: %s\n", platform_msg);
@@ -389,6 +390,10 @@
 		exit(1);
 	}
 
+	/* Indicate SHA256 as image hash algorithm in the certificate
+	 * extension */
+	md_info = EVP_sha256();
+
 	/* Get non-volatile counters NIDs */
 	CHECK_OID(tz_nvctr_nid, TZ_FW_NVCOUNTER_OID);
 	CHECK_OID(ntz_nvctr_nid, NTZ_FW_NVCOUNTER_OID);
@@ -430,7 +435,7 @@
 		exit(1);
 	}
 	CHECK_OID(hash_nid, BL2_HASH_OID);
-	CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
+	CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
 			SHA256_DIGEST_LENGTH));
 	sk_X509_EXTENSION_push(sk, hash_ext);
 
@@ -509,8 +514,8 @@
 			exit(1);
 		}
 		CHECK_OID(hash_nid, BL30_HASH_OID);
-		CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
-				SHA256_DIGEST_LENGTH));
+		CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info,
+				md, SHA256_DIGEST_LENGTH));
 		sk_X509_EXTENSION_push(sk, hash_ext);
 
 		if (!cert_new(&certs[BL30_CERT], VAL_DAYS, 0, sk)) {
@@ -559,7 +564,7 @@
 		exit(1);
 	}
 	CHECK_OID(hash_nid, BL31_HASH_OID);
-	CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
+	CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
 			SHA256_DIGEST_LENGTH));
 	sk_X509_EXTENSION_push(sk, hash_ext);
 
@@ -612,8 +617,8 @@
 			exit(1);
 		}
 		CHECK_OID(hash_nid, BL32_HASH_OID);
-		CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
-				SHA256_DIGEST_LENGTH));
+		CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info,
+				md, SHA256_DIGEST_LENGTH));
 		sk_X509_EXTENSION_push(sk, hash_ext);
 
 		if (!cert_new(&certs[BL32_CERT], VAL_DAYS, 0, sk)) {
@@ -662,7 +667,7 @@
 		exit(1);
 	}
 	CHECK_OID(hash_nid, BL33_HASH_OID);
-	CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md,
+	CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
 			SHA256_DIGEST_LENGTH));
 	sk_X509_EXTENSION_push(sk, hash_ext);