diff --git a/acme4j-client/src/main/java/org/shredzone/acme4j/impl/AbstractAcmeClient.java b/acme4j-client/src/main/java/org/shredzone/acme4j/impl/AbstractAcmeClient.java
index 44ce8c96..ef09f113 100644
--- a/acme4j-client/src/main/java/org/shredzone/acme4j/impl/AbstractAcmeClient.java
+++ b/acme4j-client/src/main/java/org/shredzone/acme4j/impl/AbstractAcmeClient.java
@@ -190,33 +190,35 @@ public abstract class AbstractAcmeClient implements AcmeClient {
             throw new IllegalArgumentException("newKeyPair must actually be a new key pair");
         }
 
-        String newKey;
-        try {
-            ClaimBuilder oldKeyClaim = new ClaimBuilder();
-            oldKeyClaim.putResource("reg");
-            oldKeyClaim.putKey("oldKey", registration.getKeyPair().getPublic());
+        LOG.debug("changeRegistrationKey");
 
-            final PublicJsonWebKey newKeyJwk = PublicJsonWebKey.Factory.newPublicJwk(newKeyPair.getPublic());
+        String rollover;
+        try {
+            ClaimBuilder newKeyClaim = new ClaimBuilder();
+            newKeyClaim.putResource("reg");
+            newKeyClaim.putBase64("newKey", SignatureUtils.jwkThumbprint(newKeyPair.getPublic()));
+
+            final PublicJsonWebKey oldKeyJwk = PublicJsonWebKey.Factory.newPublicJwk(registration.getKeyPair().getPublic());
 
             JsonWebSignature jws = new JsonWebSignature();
-            jws.setPayload(oldKeyClaim.toString());
-            jws.getHeaders().setJwkHeaderValue("jwk", newKeyJwk);
-            jws.setAlgorithmHeaderValue(SignatureUtils.keyAlgorithm(newKeyJwk));
-            jws.setKey(newKeyPair.getPrivate());
+            jws.setPayload(newKeyClaim.toString());
+            jws.getHeaders().setJwkHeaderValue("jwk", oldKeyJwk);
+            jws.setAlgorithmHeaderValue(SignatureUtils.keyAlgorithm(oldKeyJwk));
+            jws.setKey(registration.getKeyPair().getPrivate());
             jws.sign();
 
-            newKey = jws.getCompactSerialization();
+            rollover = jws.getCompactSerialization();
         } catch (JoseException ex) {
-            throw new AcmeProtocolException("Bad newKeyPair", ex);
+            throw new AcmeProtocolException("Cannot sign newKey", ex);
         }
 
-        LOG.debug("changeRegistrationKey");
         try (Connection conn = createConnection()) {
             ClaimBuilder claims = new ClaimBuilder();
             claims.putResource("reg");
-            claims.put("newKey", newKey);
+            claims.put("rollover", rollover);
 
-            int rc = conn.sendSignedRequest(registration.getLocation(), claims, session, registration);
+            Registration newReg = new Registration(newKeyPair, registration.getLocation());
+            int rc = conn.sendSignedRequest(registration.getLocation(), claims, session, newReg);
             if (rc != HttpURLConnection.HTTP_OK) {
                 conn.throwAcmeException();
             }
diff --git a/acme4j-client/src/test/java/org/shredzone/acme4j/impl/AbstractAcmeClientTest.java b/acme4j-client/src/test/java/org/shredzone/acme4j/impl/AbstractAcmeClientTest.java
index 18b8d12d..483d8b0e 100644
--- a/acme4j-client/src/test/java/org/shredzone/acme4j/impl/AbstractAcmeClientTest.java
+++ b/acme4j-client/src/test/java/org/shredzone/acme4j/impl/AbstractAcmeClientTest.java
@@ -168,31 +168,29 @@ public class AbstractAcmeClientTest {
         Connection connection = new DummyConnection() {
             @Override
             public int sendSignedRequest(URI uri, ClaimBuilder claims, Session session, Registration registration) {
+                assertThat(uri, is(locationUri));
+                assertThat(session, is(notNullValue()));
+                assertThat(registration.getKeyPair(), is(sameInstance(newKeyPair))); // registration has new KeyPair!
+
                 Map<String, Object> claimMap = claims.toMap();
                 assertThat(claimMap.get("resource"), is((Object) "reg"));
-                assertThat(claimMap.get("newKey"), not(nullValue()));
+                assertThat(claimMap.get("rollover"), not(nullValue()));
 
                 try {
                     StringBuilder expectedPayload = new StringBuilder();
                     expectedPayload.append('{');
                     expectedPayload.append("\"resource\":\"reg\",");
-                    expectedPayload.append("\"oldKey\":{");
-                    expectedPayload.append("\"kty\":\"").append(TestUtils.KTY).append("\",");
-                    expectedPayload.append("\"e\":\"").append(TestUtils.E).append("\",");
-                    expectedPayload.append("\"n\":\"").append(TestUtils.N).append("\"");
-                    expectedPayload.append("}}");
+                    expectedPayload.append("\"newKey\":\"").append(TestUtils.D_THUMBPRINT).append("\"");
+                    expectedPayload.append("}");
 
-                    String newKey = (String) claimMap.get("newKey");
-                    JsonWebSignature jws = (JsonWebSignature) JsonWebSignature.fromCompactSerialization(newKey);
-                    jws.setKey(newKeyPair.getPublic());
+                    String rollover = (String) claimMap.get("rollover");
+                    JsonWebSignature jws = (JsonWebSignature) JsonWebSignature.fromCompactSerialization(rollover);
+                    jws.setKey(accountKeyPair.getPublic()); // signed with the old KeyPair!
                     assertThat(jws.getPayload(), sameJSONAs(expectedPayload.toString()));
                 } catch (JoseException ex) {
-                    throw new AcmeProtocolException("Bad newKey", ex);
+                    throw new AcmeProtocolException("Bad rollover", ex);
                 }
 
-                assertThat(uri, is(locationUri));
-                assertThat(session, is(notNullValue()));
-                assertThat(registration.getKeyPair(), is(sameInstance(accountKeyPair)));
                 return HttpURLConnection.HTTP_OK;
             }