diff --git a/target/product/security/Android.mk b/target/product/security/Android.mk
index 1d695aedc..a0b2d6dc6 100644
--- a/target/product/security/Android.mk
+++ b/target/product/security/Android.mk
@@ -60,3 +60,30 @@ $(LOCAL_BUILT_MODULE): \
 	    $(extra_recovery_keys)
 	$(SOONG_ZIP) -o $@ -j \
 	    $(foreach key_file, $(PRIVATE_CERT) $(PRIVATE_EXTRA_RECOVERY_KEYS), -f $(key_file))
+
+
+#######################################
+# update_engine_payload_key, used by update_engine. We use the same key as otacerts but in RSA
+# public key format.
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := update_engine_payload_key
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_STEM := update-payload-key.pub.pem
+LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/update_engine
+include $(BUILD_SYSTEM)/base_rules.mk
+$(LOCAL_BUILT_MODULE): $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
+	openssl x509 -pubkey -noout -in $< > $@
+
+
+#######################################
+# update_engine_payload_key for recovery image, used by update_engine.
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := update_engine_payload_key.recovery
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_STEM := update-payload-key.pub.pem
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)/system/etc/update_engine
+include $(BUILD_SYSTEM)/base_rules.mk
+$(LOCAL_BUILT_MODULE): $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
+	openssl x509 -pubkey -noout -in $< > $@