diff --git a/ChangeLog b/ChangeLog
index 9ff6362e5..aaf59c35a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,9 @@
    - djm@cvs.openbsd.org 2011/01/31 21:42:15
      [PROTOCOL.mux]
      cut'n'pasto; from bert.wesarg AT googlemail.com
+   - djm@cvs.openbsd.org 2011/02/04 00:44:21
+     [key.c]
+     fix uninitialised nonce variable; reported by Mateusz Kocielski
 
 20110128
  - (djm) [openbsd-compat/port-linux.c] Check whether SELinux is enabled
diff --git a/key.c b/key.c
index 1defb1132..e3a305e66 100644
--- a/key.c
+++ b/key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: key.c,v 1.95 2010/11/10 01:33:07 djm Exp $ */
+/* $OpenBSD: key.c,v 1.96 2011/02/04 00:44:21 djm Exp $ */
 /*
  * read_bignum():
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1886,10 +1886,9 @@ key_certify(Key *k, Key *ca)
 	buffer_put_cstring(&k->cert->certblob, key_ssh_name(k));
 
 	/* -v01 certs put nonce first */
-	if (!key_cert_is_legacy(k)) {
-		arc4random_buf(&nonce, sizeof(nonce));
+	arc4random_buf(&nonce, sizeof(nonce));
+	if (!key_cert_is_legacy(k))
 		buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
-	}
 
 	switch (k->type) {
 	case KEY_DSA_CERT_V00: