diff --git a/lib/hx509/cms.c b/lib/hx509/cms.c
index 8ec41344f..e295cc420 100644
--- a/lib/hx509/cms.c
+++ b/lib/hx509/cms.c
@@ -852,8 +852,17 @@ hx509_cms_verify_signed(hx509_context context,
 	ret = find_CMSIdentifier(context, &signer_info->sid, certs,
 				 _hx509_verify_get_time(ctx), &cert,
 				 HX509_QUERY_KU_DIGITALSIGNATURE);
-	if (ret)
-	    continue;
+	if (ret) {
+	    if ((flags & HX509_CMS_VS_NO_KU_CHECK) == 0)
+		continue;
+
+	    ret = find_CMSIdentifier(context, &signer_info->sid, certs,
+				     _hx509_verify_get_time(ctx), &cert,
+				     0);
+	    if (ret)
+		continue;
+
+	}
 
 	if (signer_info->signedAttrs) {
 	    const Attribute *attr;
diff --git a/lib/hx509/hx509.h b/lib/hx509/hx509.h
index 12e6ce942..4f1c5942f 100644
--- a/lib/hx509/hx509.h
+++ b/lib/hx509/hx509.h
@@ -130,6 +130,7 @@ typedef enum {
 
 /* flags to hx509_cms_verify_signed */
 #define HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH		0x01
+#define HX509_CMS_VS_NO_KU_CHECK			0x02
 
 /* selectors passed to hx509_crypto_select and hx509_crypto_available */
 #define HX509_SELECT_ALL 0