diff --git a/cmd/csaf_provider/controller.go b/cmd/csaf_provider/controller.go
index 520dca9..c441106 100644
--- a/cmd/csaf_provider/controller.go
+++ b/cmd/csaf_provider/controller.go
@@ -112,65 +112,66 @@ func loadCSAF(r *http.Request) (string, []byte, error) {
 	return cleanFileName(handler.Filename), buf.Bytes(), nil
 }
 
-func (c *controller) handleSignature(r *http.Request, data []byte) (string, string, error) {
+func (c *controller) handleSignature(
+	r *http.Request,
+	data []byte,
+) (string, *crypto.Key, error) {
 
 	// Either way ... we need the key.
 	key, err := c.cfg.loadCryptoKey()
 	if err != nil {
-		return "", "", err
+		return "", nil, err
 	}
 
-	fingerprint := key.GetFingerprint()
-
 	// Was the signature given via request?
 	if c.cfg.UploadSignature {
 		sigText := r.FormValue("signature")
 		if sigText == "" {
-			return "", "", errors.New("missing signature in request")
+			return "", nil, errors.New("missing signature in request")
 		}
 
 		pgpSig, err := crypto.NewPGPSignatureFromArmored(sigText)
 		if err != nil {
-			return "", "", err
+			return "", nil, err
 		}
 
 		// Use as public key
 		signRing, err := crypto.NewKeyRing(key)
 		if err != nil {
-			return "", "", err
+			return "", nil, err
 		}
 
 		if err := signRing.VerifyDetached(
 			crypto.NewPlainMessage(data),
 			pgpSig, crypto.GetUnixTime(),
 		); err != nil {
-			return "", "", err
+			return "", nil, err
 		}
 
-		return sigText, fingerprint, nil
+		return sigText, key, nil
 	}
 
 	// Sign ourself
 
 	if passwd := r.FormValue("passphrase"); !c.cfg.NoPassphrase && passwd != "" {
 		if key, err = key.Unlock([]byte(passwd)); err != nil {
-			return "", "", err
+			return "", nil, err
 		}
 	}
 
 	// Use as private key
 	signRing, err := crypto.NewKeyRing(key)
 	if err != nil {
-		return "", "", err
+		return "", nil, err
 	}
 
 	sig, err := signRing.SignDetached(crypto.NewPlainMessage(data))
 	if err != nil {
-		return "", "", err
+		return "", nil, err
 	}
 
 	armored, err := sig.GetArmored()
-	return armored, fingerprint, err
+	return armored, key, err
 }
 
 func (c *controller) upload(rw http.ResponseWriter, r *http.Request) {
@@ -208,7 +209,7 @@ func (c *controller) upload(rw http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	armored, fingerprint, err := c.handleSignature(r, data)
+	armored, key, err := c.handleSignature(r, data)
 	if err != nil {
 		c.failed(rw, "upload.html", err)
 		return
@@ -330,7 +331,8 @@ func (c *controller) upload(rw http.ResponseWriter, r *http.Request) {
 			// TODO: Check for conflicts.
 			pmd.Publisher = ex.publisher
 
-			pmd.SetPGP(fingerprint, c.cfg.GetOpenPGPURL(fingerprint))
+			keyID, fingerprint := key.GetHexKeyID(), key.GetFingerprint()
+			pmd.SetPGP(fingerprint, c.cfg.GetOpenPGPURL(keyID))
 
 			return nil
 		}); err != nil {
diff --git a/cmd/csaf_provider/create.go b/cmd/csaf_provider/create.go
index 0bc9127..29a361d 100644
--- a/cmd/csaf_provider/create.go
+++ b/cmd/csaf_provider/create.go
@@ -101,8 +101,8 @@ func createProviderMetadata(c *config, wellknownCSAF string) error {
 	if err != nil {
 		return err
 	}
-	fingerprint := key.GetFingerprint()
-	pm.SetPGP(fingerprint, c.GetOpenPGPURL(fingerprint))
+	keyID, fingerprint := key.GetHexKeyID(), key.GetFingerprint()
+	pm.SetPGP(fingerprint, c.GetOpenPGPURL(keyID))
 
 	return saveToFile(path, pm)
 }