diff --git a/key.c b/key.c
index 28d7c6207..93f4ccb24 100644
--- a/key.c
+++ b/key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: key.c,v 1.129 2015/12/04 16:41:28 markus Exp $ */
+/* $OpenBSD: key.c,v 1.130 2016/05/02 09:36:42 djm Exp $ */
 /*
  * placed in the public domain
  */
@@ -214,7 +214,7 @@ key_certify(Key *k, Key *ca)
 {
 	int r;
 
-	if ((r = sshkey_certify(k, ca)) != 0) {
+	if ((r = sshkey_certify(k, ca, NULL)) != 0) {
 		fatal_on_fatal_errors(r, __func__, 0);
 		error("%s: %s", __func__, ssh_err(r));
 		return -1;
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 079f10321..0bd5fc93a 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.289 2016/05/02 08:49:03 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.290 2016/05/02 09:36:42 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1599,6 +1599,12 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
 		ca = load_identity(tmp);
 	free(tmp);
 
+	if (key_type_name != NULL &&
+	    sshkey_type_from_name(key_type_name) != ca->type)  {
+		fatal("CA key type %s doesn't match specified %s",
+		    sshkey_ssh_name(ca), key_type_name);
+	}
+
 	for (i = 0; i < argc; i++) {
 		/* Split list of principals */
 		n = 0;
@@ -1640,8 +1646,8 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
 		    &public->cert->signature_key)) != 0)
 			fatal("key_from_private (ca key): %s", ssh_err(r));
 
-		if (sshkey_certify(public, ca) != 0)
-			fatal("Couldn't not certify key %s", tmp);
+		if ((r = sshkey_certify(public, ca, key_type_name)) != 0)
+			fatal("Couldn't certify key %s: %s", tmp, ssh_err(r));
 
 		if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0)
 			*cp = '\0';
diff --git a/sshkey.c b/sshkey.c
index 2ce7ada9f..c20e5868b 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.32 2016/04/09 12:39:30 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.33 2016/05/02 09:36:42 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
@@ -2370,7 +2370,7 @@ sshkey_drop_cert(struct sshkey *k)
 
 /* Sign a certified key, (re-)generating the signed certblob. */
 int
-sshkey_certify(struct sshkey *k, struct sshkey *ca)
+sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg)
 {
 	struct sshbuf *principals = NULL;
 	u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32];
@@ -2460,7 +2460,7 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
 
 	/* Sign the whole mess */
 	if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
-	    sshbuf_len(cert), NULL, 0)) != 0)
+	    sshbuf_len(cert), alg, 0)) != 0)
 		goto out;
 
 	/* Append signature and we are done */
diff --git a/sshkey.h b/sshkey.h
index a20a14f9e..8c3d866bf 100644
--- a/sshkey.h
+++ b/sshkey.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.h,v 1.12 2015/12/04 16:41:28 markus Exp $ */
+/* $OpenBSD: sshkey.h,v 1.13 2016/05/02 09:36:42 djm Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -137,7 +137,7 @@ int	 sshkey_type_is_cert(int);
 int	 sshkey_type_plain(int);
 int	 sshkey_to_certified(struct sshkey *);
 int	 sshkey_drop_cert(struct sshkey *);
-int	 sshkey_certify(struct sshkey *, struct sshkey *);
+int	 sshkey_certify(struct sshkey *, struct sshkey *, const char *);
 int	 sshkey_cert_copy(const struct sshkey *, struct sshkey *);
 int	 sshkey_cert_check_authority(const struct sshkey *, int, int,
     const char *, const char **);