diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 9017421..ad2b965 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -798,50 +798,53 @@ wrap_nettle_pk_generate_params(gnutls_pk_algorithm_t algo,
 				return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
 
 #ifdef ENABLE_FIPS140
-			if (algo==GNUTLS_PK_DSA)
-				index = 1;
-			else
-				index = 2;
+			if (_gnutls_fips_mode_enabled() != 0) {
+				if (algo==GNUTLS_PK_DSA)
+					index = 1;
+				else
+					index = 2;
 
-			ret =
-			    dsa_generate_dss_pqg(&pub, &cert,
+				ret =
+				    dsa_generate_dss_pqg(&pub, &cert,
 			    			 index,
 						 NULL, rnd_func, 
 						 NULL, NULL,
 						 level, q_bits);
-			if (ret != 1) {
-				gnutls_assert();
-				ret = GNUTLS_E_PK_GENERATION_ERROR;
-				goto dsa_fail;
-			}
+				if (ret != 1) {
+					gnutls_assert();
+					ret = GNUTLS_E_PK_GENERATION_ERROR;
+					goto dsa_fail;
+				}
 
-			/* verify the generated parameters */
-			ret = dsa_validate_dss_pqg(&pub, &cert, index);
-			if (ret != 1) {
-				gnutls_assert();
-				ret = GNUTLS_E_PK_GENERATION_ERROR;
-				goto dsa_fail;
-			}
-#else
-			/* unfortunately nettle only accepts 160 or 256
-			 * q_bits size. The check below makes sure we handle
-			 * cases in between by rounding up, but fail when
-			 * larger numbers are requested. */
-			if (q_bits < 160)
-				q_bits = 160;
-			else if (q_bits > 160 && q_bits <= 256)
-				q_bits = 256;
-			ret =
-			    dsa_generate_keypair(&pub, &priv,
+				/* verify the generated parameters */
+				ret = dsa_validate_dss_pqg(&pub, &cert, index);
+				if (ret != 1) {
+					gnutls_assert();
+					ret = GNUTLS_E_PK_GENERATION_ERROR;
+					goto dsa_fail;
+				}
+			} else 
+#endif
+			{
+				/* unfortunately nettle only accepts 160 or 256
+				 * q_bits size. The check below makes sure we handle
+				 * cases in between by rounding up, but fail when
+				 * larger numbers are requested. */
+				if (q_bits < 160)
+					q_bits = 160;
+				else if (q_bits > 160 && q_bits <= 256)
+					q_bits = 256;
+				ret =
+				    dsa_generate_keypair(&pub, &priv,
 						 NULL, rnd_func, 
 						 NULL, NULL,
 						 level, q_bits);
-			if (ret != 1) {
-				gnutls_assert();
-				ret = GNUTLS_E_PK_GENERATION_ERROR;
-				goto dsa_fail;
+				if (ret != 1) {
+					gnutls_assert();
+					ret = GNUTLS_E_PK_GENERATION_ERROR;
+					goto dsa_fail;
+				}
 			}
-#endif
 
 			params->params_nr = 0;
 
@@ -1148,7 +1151,7 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
 	switch (algo) {
 	case GNUTLS_PK_DSA:
 #ifdef ENABLE_FIPS140
-		{
+		if (_gnutls_fips_mode_enabled() != 0) {
 			struct dsa_public_key pub;
 			struct dsa_private_key priv;
 
@@ -1272,17 +1275,18 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
 			rsa_private_key_init(&priv);
 
 			mpz_set_ui(pub.e, 65537);
-#ifdef ENABLE_FIPS140
-			ret =
-			    rsa_generate_fips186_4_keypair(&pub, &priv, NULL,
+
+			if (_gnutls_fips_mode_enabled() != 0) {
+				ret =
+				    rsa_generate_fips186_4_keypair(&pub, &priv, NULL,
 						 rnd_func, NULL, NULL,
 						 level);
-#else
-			ret =
-			    rsa_generate_keypair(&pub, &priv, NULL,
+			} else {
+				ret =
+				    rsa_generate_keypair(&pub, &priv, NULL,
 						 rnd_func, NULL, NULL,
 						 level, 0);
-#endif
+			}
 			if (ret != 1) {
 				gnutls_assert();
 				ret = GNUTLS_E_PK_GENERATION_ERROR;