diff --git a/docker/Makefile b/docker/Makefile
index 7d6f5c85..e9b4c696 100644
--- a/docker/Makefile
+++ b/docker/Makefile
@@ -50,6 +50,8 @@ DOCKER_BUILDARGS += --build-arg UID=$(PDO_USER_UID)
 DOCKER_BUILDARGS += --build-arg GID=$(PDO_GROUP_UID)
 DOCKER_ARGS = $(DOCKER_BUILDARGS)
 
+IAS_CERTIFICATES=$(DOCKER_DIR)/repository/common/crypto/verify_ias_report/ias-certificates.txt
+
 IMAGES=base client services_base services services_sgx ccf_base ccf
 
 # for the most part this is just used to force rebuild when the
@@ -71,7 +73,7 @@ build_% : repository
 		--tag pdo_$*:$(PDO_VERSION) \
 		--file '$(DOCKER_DIR)'/pdo_$*.dockerfile .
 
-sgx_build_services : repository build_services_base
+sgx_build_services : $(IAS_CERTIFICATES) repository build_services_base
 	docker build $(DOCKER_ARGS) \
         --build-arg PDO_VERSION=$(PDO_VERSION) \
         --build-arg SGX_MODE=HW \
@@ -111,6 +113,11 @@ stop_services :
 stop_client :
 	- docker rm -f client_container
 
+$(IAS_CERTIFICATES) : repository
+	# the script prepares the certificates from the source repo
+	# and moves only the necessary artifacts to the destination repo (absolute path required)
+	$(DOCKER_DIR)/tools/prepare_ias_certificates.sh "$(PDO_SOURCE_ROOT)" $(DOCKER_DIR)/$<
+
 # -----------------------------------------------------------------
 # We need a repository with the source for the branch we are going
 # to build. In theory this could just be a copy of the local source
diff --git a/docker/tools/prepare_ias_certificates.sh b/docker/tools/prepare_ias_certificates.sh
new file mode 100755
index 00000000..4d67af06
--- /dev/null
+++ b/docker/tools/prepare_ias_certificates.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# Copyright 2024 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+# This script prepares the IAS certificate that is necessary for build in HW mode.
+# The certificate is downloaded in the repo before the docker build, thus becoming
+# part of the "repository". The docker build will then clone the repository in the
+# container. As the certificate will be avialable, the build inside docker will not
+# attempt to retrieve it.
+
+if [ $# != 2 ] ; then
+    echo "$(basename $0 '$<PDO source repo path> <PDO dest repo path')"
+    echo "PDO source and dest repo paths are required"
+    exit 1
+fi
+
+PDO_SOURCE_ROOT=$1
+PDO_DEST_ROOT=$2
+
+CERTIFICATES_REL_PATH=common/crypto/verify_ias_report/ias-certificates.txt
+
+source ${PDO_SOURCE_ROOT}/bin/lib/common.sh
+
+# extract the IAS url from the cmake file, since it's already defined there
+IAS_CERT_URL=$(awk -F"[\"\"]" '/IAS_CERTIFICATE_URL/{print $2}' ${PDO_SOURCE_ROOT}/build/cmake/SGX.cmake)
+
+cd ${PDO_SOURCE_ROOT}/$(dirname ${CERTIFICATES_REL_PATH})
+yell Preparing IAS certificates for docker build from url ${IAS_CERT_URL}
+if [ "${PDO_FORCE_IAS_PROXY}" == "true" ]; then
+    NO_PROXY='' no_proxy='' PDO_SOURCE_ROOT=${PDO_SOURCE_ROOT} SGX_MODE=HW \
+        try ./fetch_ias_certificates.sh "${IAS_CERT_URL}" ${PDO_DEST_ROOT}/${CERTIFICATES_REL_PATH}
+else
+    PDO_SOURCE_ROOT=${PDO_SOURCE_ROOT} SGX_MODE=HW \
+        try ./fetch_ias_certificates.sh "${IAS_CERT_URL}" ${PDO_DEST_ROOT}/${CERTIFICATES_REL_PATH}
+fi
+
+exit 0
+