diff --git a/programs/nstool/source/EsCertProcess.cpp b/programs/nstool/source/EsCertProcess.cpp
index c7b143b..8c28f1f 100644
--- a/programs/nstool/source/EsCertProcess.cpp
+++ b/programs/nstool/source/EsCertProcess.cpp
@@ -116,7 +116,7 @@ void EsCertProcess::validateCert(const es::SignedData<es::CertificateBody>& cert
 			{
 				throw fnd::Exception(kModuleName, "Issued by Root, but does not have a RSA4096 signature");
 			}
-			sig_validate_res = crypto::rsa::pkcs::rsaVerify(mKeyset->pki_root_sign_key, getCryptoHashAlgoFromEsSignHashAlgo(cert_hash_algo), cert_hash, cert.getSignature().getSignature().data()); 
+			sig_validate_res = crypto::rsa::pkcs::rsaVerify(mKeyset->pki.root_sign_key, getCryptoHashAlgoFromEsSignHashAlgo(cert_hash_algo), cert_hash, cert.getSignature().getSignature().data()); 
 		}
 		else
 		{
diff --git a/programs/nstool/source/UserSettings.cpp b/programs/nstool/source/UserSettings.cpp
index cf8e393..9fc7c60 100644
--- a/programs/nstool/source/UserSettings.cpp
+++ b/programs/nstool/source/UserSettings.cpp
@@ -505,8 +505,8 @@ void UserSettings::populateKeyset(sCmdArgs& args)
 	_SAVE_KEYDATA(_CONCAT_2_STRINGS(kPackage2Base, kRsaKeySuffix[0]), mKeyset.package2_sign_key.priv_exponent, crypto::rsa::kRsa2048Size);
 	_SAVE_KEYDATA(_CONCAT_2_STRINGS(kPackage2Base, kRsaKeySuffix[1]), mKeyset.package2_sign_key.modulus, crypto::rsa::kRsa2048Size);
 
-	_SAVE_KEYDATA(_CONCAT_2_STRINGS(kPkiRootBase, kRsaKeySuffix[0]), mKeyset.pki_root_sign_key.priv_exponent, crypto::rsa::kRsa4096Size);
-	_SAVE_KEYDATA(_CONCAT_2_STRINGS(kPkiRootBase, kRsaKeySuffix[1]), mKeyset.pki_root_sign_key.modulus, crypto::rsa::kRsa4096Size);
+	_SAVE_KEYDATA(_CONCAT_2_STRINGS(kPkiRootBase, kRsaKeySuffix[0]), mKeyset.pki.root_sign_key.priv_exponent, crypto::rsa::kRsa4096Size);
+	_SAVE_KEYDATA(_CONCAT_2_STRINGS(kPkiRootBase, kRsaKeySuffix[1]), mKeyset.pki.root_sign_key.modulus, crypto::rsa::kRsa4096Size);
 
 
 	// save keydata from input args
diff --git a/programs/nstool/source/nstool.h b/programs/nstool/source/nstool.h
index 470a687..9c5f6c9 100644
--- a/programs/nstool/source/nstool.h
+++ b/programs/nstool/source/nstool.h
@@ -65,7 +65,7 @@ struct sKeyset
 {
 	crypto::rsa::sRsa2048Key acid_sign_key;
 
-	crypto::rsa::sRsa4096Key pki_root_sign_key;
+	
 
 	crypto::aes::sAes128Key package1_key[kMasterKeyNum];
 	crypto::rsa::sRsa2048Key package2_sign_key;
@@ -94,6 +94,11 @@ struct sKeyset
 		crypto::rsa::sRsa2048Key sign_key;
 		crypto::aes::sAes128Key titlekey_kek[kMasterKeyNum];
 	} ticket;
+
+	struct sPkiData
+	{
+		crypto::rsa::sRsa4096Key root_sign_key;
+	} pki;
 };
 
 inline byte_t charToByte(char chr)