diff --git a/authority/provisioner/jwk.go b/authority/provisioner/jwk.go
index fa61ee2c..231b1580 100644
--- a/authority/provisioner/jwk.go
+++ b/authority/provisioner/jwk.go
@@ -209,8 +209,9 @@ func (p *JWK) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
 	if !opts.ValidBefore.IsZero() {
 		signOptions = append(signOptions, sshCertificateValidBeforeModifier(opts.ValidBefore.RelativeTime(t).Unix()))
 	}
-	// Make sure to define the the KeyID
-	if opts.KeyID == "" {
+	if opts.KeyID != "" {
+		signOptions = append(signOptions, sshCertificateKeyIDModifier(opts.KeyID))
+	} else {
 		signOptions = append(signOptions, sshCertificateKeyIDModifier(claims.Subject))
 	}