diff --git a/doc/man/keymgr.8in b/doc/man/keymgr.8in
index 184e1a5306d89a80b9a88dd868acac4883aa357f..182d74ff343eacfb8fa55334dd5140dbe2bf1dee 100644
--- a/doc/man/keymgr.8in
+++ b/doc/man/keymgr.8in
@@ -190,7 +190,7 @@ If set to \fByes\fP, the key will be used for signing zone (except DNSKEY rrset)
 be set concurrently with the \fBksk\fP flag.
 .TP
 \fBsep\fP
-Overrides the standard setting of the Secure Entry Point flag for the generated key.
+Overrides the standard setting of the Secure Entry Point flag.
 .UNINDENT
 .sp
 The following arguments are timestamps of key lifetime (see DNSSEC Key states):
diff --git a/doc/man_keymgr.rst b/doc/man_keymgr.rst
index e87d3e49f3854285b741ba454d0979ea0d3ff9ae..62eedb9a78f9fa2b3dd9428af966ca596f942031 100644
--- a/doc/man_keymgr.rst
+++ b/doc/man_keymgr.rst
@@ -163,7 +163,7 @@ Arguments are separated by space, each of them is in format 'name=value'.
   be set concurrently with the **ksk** flag.
 
 **sep**
-  Overrides the standard setting of the Secure Entry Point flag for the generated key.
+  Overrides the standard setting of the Secure Entry Point flag.
 
 The following arguments are timestamps of key lifetime (see :ref:`DNSSEC Key states`):
 
diff --git a/src/utils/keymgr/functions.c b/src/utils/keymgr/functions.c
index 366472a43dba89c639b9db0d422c5f985e899f11..0a5bbb466305ecc20da02a3211378dd8e42d454d 100644
--- a/src/utils/keymgr/functions.c
+++ b/src/utils/keymgr/functions.c
@@ -145,7 +145,7 @@ static bool genkeyargs(int argc, char *argv[], bool just_timing,
 			bitmap_set(flags, DNSKEY_GENERATE_KSK, str2bool(argv[i] + 4));
 		} else if (strncasecmp(argv[i], "zsk=", 4) == 0) {
 			bitmap_set(flags, DNSKEY_GENERATE_ZSK, str2bool(argv[i] + 4));
-		} else if (!just_timing && strncasecmp(argv[i], "sep=", 4) == 0) {
+		} else if (strncasecmp(argv[i], "sep=", 4) == 0) {
 			bitmap_set(flags, DNSKEY_GENERATE_SEP_SPEC, true);
 			bitmap_set(flags, DNSKEY_GENERATE_SEP_ON, str2bool(argv[i] + 4));
 		} else if (!just_timing && strncasecmp(argv[i], "size=", 5) == 0) {
@@ -816,8 +816,14 @@ int keymgr_set_timing(knot_kasp_key_t *key, int argc, char *argv[])
 			return ret;
 		}
 		key->timing = temp;
-		key->is_ksk = (flags & DNSKEY_GENERATE_KSK);
-		key->is_zsk = (flags & DNSKEY_GENERATE_ZSK);
+		if (key->is_ksk != (bool)(flags & DNSKEY_GENERATE_KSK) ||
+		    key->is_zsk != (bool)(flags & DNSKEY_GENERATE_ZSK) ||
+		    flags & DNSKEY_GENERATE_SEP_SPEC) {
+			normalize_generate_flags(&flags);
+			key->is_ksk = (flags & DNSKEY_GENERATE_KSK);
+			key->is_zsk = (flags & DNSKEY_GENERATE_ZSK);
+			return dnssec_key_set_flags(key->key, dnskey_flags(flags & DNSKEY_GENERATE_SEP_ON));
+		}
 		return KNOT_EOK;
 	}
 	return KNOT_EINVAL;