diff --git a/pkcs11/signer.go b/pkcs11/signer.go
index 39af0c0e..c436b679 100644
--- a/pkcs11/signer.go
+++ b/pkcs11/signer.go
@@ -79,6 +79,13 @@ func getRemainingRequestTime(ctx context.Context, keyIdentifier string) (time.Du
 }
 
 func getSigner(ctx context.Context, requestChan chan scheduler.Request, pool sPool, keyIdentifier string, priority proto.Priority) (signer signerWithSignAlgorithm, err error) {
+	// Need to handle case when we directly invoke SignSSHCert or SignX509Cert for
+	// either generating the host certs or X509 CA certs. In that case we don't need the server
+	// running nor do we need to worry about priority scheduling. In that case, we immediately
+	// fetch the signer from the pool.
+	if requestChan == nil {
+		return pool.get(ctx)
+	}
 	remTime, err := getRemainingRequestTime(ctx, keyIdentifier)
 	if err != nil {
 		return nil, err
diff --git a/pkcs11/signer_test.go b/pkcs11/signer_test.go
index 1cf58eca..dbea963d 100644
--- a/pkcs11/signer_test.go
+++ b/pkcs11/signer_test.go
@@ -438,9 +438,10 @@ func TestSignX509ECCert(t *testing.T) {
 		isBadSigner bool
 		expectError bool
 	}{
-		"cert-ec-good-signer":    {ctx, certEC, defaultIdentifier, proto.Priority_Unspecified_priority, false, false},
-		"cert-ec-bad-identifier": {ctx, certEC, badIdentifier, proto.Priority_Medium, false, true},
-		"cert-ec-bad-signer":     {ctx, certEC, badIdentifier, proto.Priority_Medium, true, true},
+		"cert-ec-good-signer":       {ctx, certEC, defaultIdentifier, proto.Priority_Unspecified_priority, false, false},
+		"cert-ec-bad-identifier":    {ctx, certEC, badIdentifier, proto.Priority_Medium, false, true},
+		"cert-ec-bad-signer":        {ctx, certEC, badIdentifier, proto.Priority_Medium, true, true},
+		"x509-ec-ca-cert-no-server": {ctx, certEC, defaultIdentifier, proto.Priority_Unspecified_priority, false, false},
 	}
 	go dummyScheduler(ctx, reqChan)
 	for label, tt := range testcases {
@@ -448,8 +449,13 @@ func TestSignX509ECCert(t *testing.T) {
 		t.Run(label, func(t *testing.T) {
 			t.Parallel()
 			signer := initMockSigner(x509.ECDSA, caPriv, caCert, tt.isBadSigner)
-			data, err := signer.SignX509Cert(tt.ctx, reqChan, tt.cert, tt.identifier, tt.priority)
-			if err != nil != tt.expectError {
+			var data []byte
+			if label == "x509-ec-ca-cert-no-server" {
+				data, err = signer.SignX509Cert(tt.ctx, nil, tt.cert, tt.identifier, tt.priority)
+			} else {
+				data, err = signer.SignX509Cert(tt.ctx, reqChan, tt.cert, tt.identifier, tt.priority)
+			}
+			if (err != nil) != tt.expectError {
 				t.Fatalf("%s: got err: %v, expect err: %v", label, err, tt.expectError)
 			}
 			if err != nil {