From e841a86b48de376f2ba4d71f12ad812738471fd0 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Tue, 10 Dec 2019 16:34:01 -0800
Subject: [PATCH] Make sure to define the KeyID from the token if available.

---
 authority/provisioner/jwk.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/authority/provisioner/jwk.go b/authority/provisioner/jwk.go
index fa61ee2c..231b1580 100644
--- a/authority/provisioner/jwk.go
+++ b/authority/provisioner/jwk.go
@@ -209,8 +209,9 @@ func (p *JWK) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
 	if !opts.ValidBefore.IsZero() {
 		signOptions = append(signOptions, sshCertificateValidBeforeModifier(opts.ValidBefore.RelativeTime(t).Unix()))
 	}
-	// Make sure to define the the KeyID
-	if opts.KeyID == "" {
+	if opts.KeyID != "" {
+		signOptions = append(signOptions, sshCertificateKeyIDModifier(opts.KeyID))
+	} else {
 		signOptions = append(signOptions, sshCertificateKeyIDModifier(claims.Subject))
 	}