diff --git a/linux/Config.in b/linux/Config.in
index 7aed6f8075..e91bdb99c7 100644
--- a/linux/Config.in
+++ b/linux/Config.in
@@ -391,6 +391,19 @@ config BR2_LINUX_KERNEL_INSTALL_TARGET
 	  /boot if DTBs have been generated by the kernel build
 	  process.
 
+config BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL
+	bool "Needs host OpenSSL"
+	help
+	  Some Linux kernel configuration options (such as
+	  CONFIG_SYSTEM_TRUSTED_KEYRING) require building a host
+	  program called extract-cert, which itself needs
+	  OpenSSL. Enabling this option will ensure host-openssl gets
+	  built before the Linux kernel.
+
+	  Enable this option if you get a Linux kernel build failure
+	  such as "scripts/extract-cert.c:21:25: fatal error:
+	  openssl/bio.h: No such file or directory".
+
 # Linux extensions
 source "linux/Config.ext.in"
 
diff --git a/linux/linux.mk b/linux/linux.mk
index 2be2403570..359f21c75c 100644
--- a/linux/linux.mk
+++ b/linux/linux.mk
@@ -80,6 +80,10 @@ LINUX_COMPRESSION_OPT_$(BR2_LINUX_KERNEL_LZMA) += CONFIG_KERNEL_LZMA
 LINUX_COMPRESSION_OPT_$(BR2_LINUX_KERNEL_LZO) += CONFIG_KERNEL_LZO
 LINUX_COMPRESSION_OPT_$(BR2_LINUX_KERNEL_XZ) += CONFIG_KERNEL_XZ
 
+ifeq ($(BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL),y)
+LINUX_DEPENDENCIES += host-openssl
+endif
+
 # If host-uboot-tools is selected by the user, assume it is needed to
 # create a custom image
 ifeq ($(BR2_PACKAGE_HOST_UBOOT_TOOLS),y)