diff --git a/types/certificate_generator.go b/types/certificate_generator.go
index 058e2a37..f32a0ef4 100644
--- a/types/certificate_generator.go
+++ b/types/certificate_generator.go
@@ -3,6 +3,7 @@ package types
 import (
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/sha256"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
@@ -10,8 +11,6 @@ import (
 	"net"
 	"time"
 
-	"crypto/sha1"
-
 	"github.com/cloudfoundry/bosh-utils/errors"
 )
 
@@ -60,10 +59,15 @@ func (cfg CertificateGenerator) Generate(parameters interface{}) (interface{}, e
 	return cfg.generateCertificate(params)
 }
 
-func (cfg CertificateGenerator) bigIntHash(n *big.Int) []byte {
-	h := sha1.New()
-	h.Write(n.Bytes())
-	return h.Sum(nil)
+// computeSubjectKeyId derives the SubjectKeyIdentifier per RFC 7093 Method 4:
+// SHA-256 of the full DER-encoded SubjectPublicKeyInfo structure.
+func computeSubjectKeyId(pub *rsa.PublicKey) ([]byte, error) {
+	pubDER, err := x509.MarshalPKIXPublicKey(pub)
+	if err != nil {
+		return nil, err
+	}
+	hash := sha256.Sum256(pubDER)
+	return hash[:], nil
 }
 
 func (cfg CertificateGenerator) generateCertificate(cParams certParams) (CertResponse, error) {
@@ -94,7 +98,11 @@ func (cfg CertificateGenerator) generateCertificate(cParams certParams) (CertRes
 		}
 	}
 
-	certTemplate.SubjectKeyId = cfg.bigIntHash(privateKey.N)
+	subjectKeyId, err := computeSubjectKeyId(&privateKey.PublicKey)
+	if err != nil {
+		return certResponse, errors.WrapError(err, "Computing SubjectKeyId")
+	}
+	certTemplate.SubjectKeyId = subjectKeyId
 
 	if cParams.IsCA {
 		certTemplate.KeyUsage = x509.KeyUsageCertSign | x509.KeyUsageCRLSign