diff --git a/Makefile b/Makefile
index ab0ccb1..183f20d 100644
--- a/Makefile
+++ b/Makefile
@@ -1018,7 +1018,7 @@
 
 .PHONY: ${CRTTOOL}
 ${CRTTOOL}:
-	${Q}${MAKE} PLAT=${PLAT} USE_TBBR_DEFS=${USE_TBBR_DEFS} --no-print-directory -C ${CRTTOOLPATH}
+	${Q}${MAKE} PLAT=${PLAT} USE_TBBR_DEFS=${USE_TBBR_DEFS} COT=${COT} --no-print-directory -C ${CRTTOOLPATH}
 	@${ECHO_BLANK_LINE}
 	@echo "Built $@ successfully"
 	@${ECHO_BLANK_LINE}
diff --git a/docs/getting_started/build-options.rst b/docs/getting_started/build-options.rst
index b702c34..2f44fe8 100644
--- a/docs/getting_started/build-options.rst
+++ b/docs/getting_started/build-options.rst
@@ -128,6 +128,9 @@
    ``plat_secondary_cold_boot_setup()`` platform porting interfaces do not need
    to be implemented in this case.
 
+-  ``COT``: When Trusted Boot is enabled, selects the desired chain of trust.
+   Defaults to ``tbbr``.
+
 -  ``CRASH_REPORTING``: A non-zero value enables a console dump of processor
    register state when an unexpected exception occurs during execution of
    BL31. This option defaults to the value of ``DEBUG`` - i.e. by default
diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk
index 4af1da6..fff336c 100644
--- a/make_helpers/defaults.mk
+++ b/make_helpers/defaults.mk
@@ -204,6 +204,9 @@
 # Build option to choose whether Trusted Firmware uses library at ROM
 USE_ROMLIB			:= 0
 
+# Chain of trust.
+COT				:= tbbr
+
 # Use tbbr_oid.h instead of platform_oid.h
 USE_TBBR_DEFS			:= 1
 
diff --git a/plat/arm/common/arm_common.mk b/plat/arm/common/arm_common.mk
index 9d4f05e..c8b7ab4 100644
--- a/plat/arm/common/arm_common.mk
+++ b/plat/arm/common/arm_common.mk
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
 #
 # SPDX-License-Identifier: BSD-3-Clause
 #
@@ -254,7 +254,13 @@
     AUTH_SOURCES	:=	drivers/auth/auth_mod.c				\
 				drivers/auth/crypto_mod.c			\
 				drivers/auth/img_parser_mod.c			\
-				drivers/auth/tbbr/tbbr_cot.c			\
+
+    # Include the selected chain of trust sources.
+    ifeq (${COT},tbbr)
+        AUTH_SOURCES	+=	drivers/auth/tbbr/tbbr_cot.c
+    else
+        $(error Unknown chain of trust ${COT})
+    endif
 
     BL1_SOURCES		+=	${AUTH_SOURCES}					\
 				bl1/tbbr/tbbr_img_desc.c			\
diff --git a/tools/cert_create/Makefile b/tools/cert_create/Makefile
index c03629a..eff929e 100644
--- a/tools/cert_create/Makefile
+++ b/tools/cert_create/Makefile
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
 #
 # SPDX-License-Identifier: BSD-3-Clause
 #
@@ -10,53 +10,41 @@
 DEBUG		:= 0
 BINARY		:= ${PROJECT}${BIN_EXT}
 OPENSSL_DIR	:= /usr
-USE_TBBR_DEFS   := 1
-
-OBJECTS := src/cert.o \
-           src/cmd_opt.o \
-           src/ext.o \
-           src/key.o \
-           src/main.o \
-           src/sha.o \
-           src/tbbr/tbb_cert.o \
-           src/tbbr/tbb_ext.o \
-           src/tbbr/tbb_key.o
-
-HOSTCCFLAGS := -Wall -std=c99
+COT		:= tbbr
 
 MAKE_HELPERS_DIRECTORY := ../../make_helpers/
 include ${MAKE_HELPERS_DIRECTORY}build_macros.mk
 include ${MAKE_HELPERS_DIRECTORY}build_env.mk
 
-ifeq (${USE_TBBR_DEFS},1)
-# In this case, cert_tool is platform-independent
-PLAT_MSG		:=	TBBR Generic
-PLAT_INCLUDE		:=	../../include/tools_share
+# Common source files.
+OBJECTS := src/cert.o \
+           src/cmd_opt.o \
+           src/ext.o \
+           src/key.o \
+           src/main.o \
+           src/sha.o
+
+# Chain of trust.
+ifeq (${COT},tbbr)
+  include src/tbbr/tbbr.mk
 else
-PLAT_MSG		:=	${PLAT}
-
-TF_PLATFORM_ROOT		:=	../../plat/
-include ${MAKE_HELPERS_DIRECTORY}plat_helpers.mk
-
-PLAT_INCLUDE		:=	$(wildcard ${PLAT_DIR}include)
-
-ifeq ($(PLAT_INCLUDE),)
-  $(error "Error: Invalid platform '${PLAT}' has no include directory.")
+  $(error Unknown chain of trust ${COT})
 endif
-endif
+
+HOSTCCFLAGS := -Wall -std=c99
 
 ifeq (${DEBUG},1)
   HOSTCCFLAGS += -g -O0 -DDEBUG -DLOG_LEVEL=40
 else
   HOSTCCFLAGS += -O2 -DLOG_LEVEL=20
 endif
+
 ifeq (${V},0)
   Q := @
 else
   Q :=
 endif
 
-$(eval $(call add_define,USE_TBBR_DEFS))
 HOSTCCFLAGS += ${DEFINES}
 
 # Make soft links and include from local directory otherwise wrong headers
diff --git a/tools/cert_create/src/ext.c b/tools/cert_create/src/ext.c
index 57fb47d..d9a92bb 100644
--- a/tools/cert_create/src/ext.c
+++ b/tools/cert_create/src/ext.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -33,11 +33,11 @@
 IMPLEMENT_ASN1_FUNCTIONS(HASH)
 
 /*
- * This function adds the TBB extensions to the internal extension list
+ * This function adds the CoT extensions to the internal extension list
  * maintained by OpenSSL so they can be used later.
  *
  * It also initializes the methods to print the contents of the extension. If an
- * alias is specified in the TBB extension, we reuse the methods of the alias.
+ * alias is specified in the CoT extension, we reuse the methods of the alias.
  * Otherwise, only methods for V_ASN1_INTEGER and V_ASN1_OCTET_STRING are
  * provided. Any other type will be printed as a raw ascii string.
  *
diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c
index 863db7b..2ba1101 100644
--- a/tools/cert_create/src/main.c
+++ b/tools/cert_create/src/main.c
@@ -47,7 +47,7 @@
 	do { \
 		v = OBJ_txt2nid(oid); \
 		if (v == NID_undef) { \
-			ERROR("Cannot find TBB extension %s\n", oid); \
+			ERROR("Cannot find extension %s\n", oid); \
 			exit(1); \
 		} \
 	} while (0)
@@ -335,7 +335,7 @@
 
 	/* Initialize the new types and register OIDs for the extensions */
 	if (ext_init() != 0) {
-		ERROR("Cannot initialize TBB extensions\n");
+		ERROR("Cannot initialize extensions\n");
 		exit(1);
 	}
 
diff --git a/tools/cert_create/src/tbbr/tbbr.mk b/tools/cert_create/src/tbbr/tbbr.mk
new file mode 100644
index 0000000..ee82d31
--- /dev/null
+++ b/tools/cert_create/src/tbbr/tbbr.mk
@@ -0,0 +1,29 @@
+#
+# Copyright (c) 2020, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+USE_TBBR_DEFS   := 1
+$(eval $(call add_define,USE_TBBR_DEFS))
+
+ifeq (${USE_TBBR_DEFS},1)
+# In this case, cert_tool is platform-independent
+PLAT_MSG		:=	TBBR Generic
+PLAT_INCLUDE		:=	../../include/tools_share
+else
+PLAT_MSG		:=	${PLAT}
+
+TF_PLATFORM_ROOT	:=	../../plat/
+include ${MAKE_HELPERS_DIRECTORY}plat_helpers.mk
+
+PLAT_INCLUDE		:=	$(wildcard ${PLAT_DIR}include)
+
+ifeq ($(PLAT_INCLUDE),)
+  $(error "Error: Invalid platform '${PLAT}' has no include directory.")
+endif
+endif
+
+OBJECTS += src/tbbr/tbb_cert.o \
+           src/tbbr/tbb_ext.o \
+           src/tbbr/tbb_key.o