diff --git a/cmake/sysbuild/b0_mcuboot_signing.cmake b/cmake/sysbuild/b0_mcuboot_signing.cmake
index f9b205da0..71f523763 100644
--- a/cmake/sysbuild/b0_mcuboot_signing.cmake
+++ b/cmake/sysbuild/b0_mcuboot_signing.cmake
@@ -12,6 +12,7 @@
 
 function(ncs_secure_boot_mcuboot_sign application bin_files signed_targets prefix)
   set(keyfile "${SB_CONFIG_BOOT_SIGNATURE_KEY_FILE}")
+  string(CONFIGURE "${keyfile}" keyfile)
 
   # Find imgtool. Even though west is installed, imgtool might not be.
   # The user may also have a custom manifest which doesn't include
diff --git a/cmake/sysbuild/debug_keys.cmake b/cmake/sysbuild/debug_keys.cmake
index af94348d0..94eff63b9 100644
--- a/cmake/sysbuild/debug_keys.cmake
+++ b/cmake/sysbuild/debug_keys.cmake
@@ -47,11 +47,13 @@ if(NOT SB_CONFIG_SECURE_BOOT_SIGNING_CUSTOM AND "${SB_CONFIG_SECURE_BOOT_SIGNING
     )
   set(SIGN_KEY_FILE_DEPENDS debug_sign_key_target)
 else()
-  if(IS_ABSOLUTE ${SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE})
-    set(SIGNATURE_PRIVATE_KEY_FILE ${SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE})
+  set(keyfile "${SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE}")
+  string(CONFIGURE "${keyfile}" keyfile)
+  if(IS_ABSOLUTE ${keyfile})
+    set(SIGNATURE_PRIVATE_KEY_FILE ${keyfile})
   else()
     # Resolve path relative to the application configuration directory.
-    set(SIGNATURE_PRIVATE_KEY_FILE ${APPLICATION_CONFIG_DIR}/${SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE})
+    set(SIGNATURE_PRIVATE_KEY_FILE ${APPLICATION_CONFIG_DIR}/${keyfile})
   endif()
 
   if(NOT EXISTS ${SIGNATURE_PRIVATE_KEY_FILE})
diff --git a/cmake/sysbuild/image_signing.cmake b/cmake/sysbuild/image_signing.cmake
index c59681b8f..c33a9def5 100644
--- a/cmake/sysbuild/image_signing.cmake
+++ b/cmake/sysbuild/image_signing.cmake
@@ -19,6 +19,8 @@ endfunction()
 function(zephyr_mcuboot_tasks)
   set(keyfile "${CONFIG_MCUBOOT_SIGNATURE_KEY_FILE}")
   set(keyfile_enc "${CONFIG_MCUBOOT_ENCRYPTION_KEY_FILE}")
+  string(CONFIGURE "${keyfile}" keyfile)
+  string(CONFIGURE "${keyfile_enc}" keyfile_enc)
 
   if(NOT "${CONFIG_MCUBOOT_GENERATE_UNSIGNED_IMAGE}")
     # Check for misconfiguration.
diff --git a/cmake/sysbuild/sign.cmake b/cmake/sysbuild/sign.cmake
index 3881744c5..c593a2723 100644
--- a/cmake/sysbuild/sign.cmake
+++ b/cmake/sysbuild/sign.cmake
@@ -30,8 +30,10 @@ function(b0_gen_keys)
       -out ${SIGNATURE_PUBLIC_KEY_FILE}
       )
   elseif(SB_CONFIG_SECURE_BOOT_SIGNING_CUSTOM)
-    set(SIGNATURE_PUBLIC_KEY_FILE ${SB_CONFIG_SECURE_BOOT_SIGNING_PUBLIC_KEY})
-    set(SIGNATURE_PUBLIC_KEY_FILE ${SB_CONFIG_SECURE_BOOT_SIGNING_PUBLIC_KEY} PARENT_SCOPE)
+    set(keyfile "${SB_CONFIG_SECURE_BOOT_SIGNING_PUBLIC_KEY}")
+    string(CONFIGURE "${keyfile}" keyfile)
+    set(SIGNATURE_PUBLIC_KEY_FILE ${keyfile})
+    set(SIGNATURE_PUBLIC_KEY_FILE ${keyfile} PARENT_SCOPE)
 
     if(NOT EXISTS ${SIGNATURE_PUBLIC_KEY_FILE} OR IS_DIRECTORY ${SIGNATURE_PUBLIC_KEY_FILE})
       message(WARNING "Invalid public key file: ${SIGNATURE_PUBLIC_KEY_FILE}")
@@ -165,6 +167,7 @@ function(b0_sign_image slot)
       )
   elseif(SB_CONFIG_SECURE_BOOT_SIGNING_CUSTOM)
     set(custom_sign_cmd "${SB_CONFIG_SECURE_BOOT_SIGNING_COMMAND}")
+    string(CONFIGURE "${custom_sign_cmd}" custom_sign_cmd)
 
     if (("${custom_sign_cmd}" STREQUAL "") OR (NOT EXISTS ${SIGNATURE_PUBLIC_KEY_FILE}))
       message(FATAL_ERROR "You must specify a signing command and valid public key file for custom signing.")