diff --git a/src/crypto/OperationalKeystore.h b/src/crypto/OperationalKeystore.h
index bfa846b9d1a8be..6af92629174810 100644
--- a/src/crypto/OperationalKeystore.h
+++ b/src/crypto/OperationalKeystore.h
@@ -148,6 +148,19 @@ class OperationalKeystore
     virtual void RevertPendingKeypair() = 0;
 
     // ==== Primary operation required: signature
+    /**
+     * @brief Whether `SignWithOpKeypair` may be performed in the background.
+     *
+     * If true, `CASESession` may attempt to perform `SignWithOpKeypair` in the
+     * background. In this case, `OperationalKeystore` should protect itself,
+     * e.g. with a mutex, as the signing could occur at any time during session
+     * establishment.
+     *
+     * @retval true if `SignWithOpKeypair` may be performed in the background
+     * @retval false if `SignWithOpKeypair` may NOT be performed in the background
+     */
+    virtual bool SupportsSignWithOpKeypairInBackground() const { return false; }
+
     /**
      * @brief Sign a message with a fabric's currently-active operational keypair.
      *
@@ -164,7 +177,6 @@ class OperationalKeystore
      * @retval CHIP_ERROR_INVALID_FABRIC_INDEX if no active key is found for the given `fabricIndex` or if
      *                                         `fabricIndex` is invalid.
      * @retval other CHIP_ERROR value on internal crypto engine errors
-     *
      */
     virtual CHIP_ERROR SignWithOpKeypair(FabricIndex fabricIndex, const ByteSpan & message,
                                          Crypto::P256ECDSASignature & outSignature) const = 0;
diff --git a/src/protocols/secure_channel/CASESession.cpp b/src/protocols/secure_channel/CASESession.cpp
index 70146409192202..512ed319623b92 100644
--- a/src/protocols/secure_channel/CASESession.cpp
+++ b/src/protocols/secure_channel/CASESession.cpp
@@ -1309,16 +1309,16 @@ CHIP_ERROR CASESession::SendSigma3a()
         {
             const FabricInfo * fabricInfo = mFabricsTable->FindFabricWithIndex(mFabricIndex);
             VerifyOrExit(fabricInfo != nullptr, err = CHIP_ERROR_KEY_NOT_FOUND);
-            if (fabricInfo->HasOperationalKey())
+            auto * keystore = mFabricsTable->GetOperationalKeystore();
+            if (!fabricInfo->HasOperationalKey() && keystore != nullptr && keystore->SupportsSignWithOpKeypairInBackground())
             {
-                // NOTE: used to sign in foreground.
-                data.fabricTable = mFabricsTable;
+                // NOTE: used to sign in background.
+                data.keystore = keystore;
             }
             else
             {
-                // NOTE: used to sign in background.
-                data.keystore = mFabricsTable->GetOperationalKeystore();
-                VerifyOrExit(data.keystore != nullptr, err = CHIP_ERROR_KEY_NOT_FOUND);
+                // NOTE: used to sign in foreground.
+                data.fabricTable = mFabricsTable;
             }
         }