diff --git a/agent/connect/ca.go b/agent/connect/ca.go
index efe7c14f3b..bca9392d30 100644
--- a/agent/connect/ca.go
+++ b/agent/connect/ca.go
@@ -12,6 +12,7 @@ import (
 
 // ParseCert parses the x509 certificate from a PEM-encoded value.
 func ParseCert(pemValue string) (*x509.Certificate, error) {
+	// The _ result below is not an error but the remaining PEM bytes.
 	block, _ := pem.Decode([]byte(pemValue))
 	if block == nil {
 		return nil, fmt.Errorf("no PEM-encoded data found")
@@ -27,6 +28,7 @@ func ParseCert(pemValue string) (*x509.Certificate, error) {
 // ParseSigner parses a crypto.Signer from a PEM-encoded key. The private key
 // is expected to be the first block in the PEM value.
 func ParseSigner(pemValue string) (crypto.Signer, error) {
+	// The _ result below is not an error but the remaining PEM bytes.
 	block, _ := pem.Decode([]byte(pemValue))
 	if block == nil {
 		return nil, fmt.Errorf("no PEM-encoded data found")
@@ -44,6 +46,7 @@ func ParseSigner(pemValue string) (crypto.Signer, error) {
 // ParseCSR parses a CSR from a PEM-encoded value. The certificate request
 // must be the the first block in the PEM value.
 func ParseCSR(pemValue string) (*x509.CertificateRequest, error) {
+	// The _ result below is not an error but the remaining PEM bytes.
 	block, _ := pem.Decode([]byte(pemValue))
 	if block == nil {
 		return nil, fmt.Errorf("no PEM-encoded data found")
@@ -57,7 +60,7 @@ func ParseCSR(pemValue string) (*x509.CertificateRequest, error) {
 }
 
 // KeyId returns a x509 KeyId from the given signing key. The key must be
-// an *ecdsa.PublicKey, but is an interface type to support crypto.Signer.
+// an *ecdsa.PublicKey currently, but may support more types in the future.
 func KeyId(raw interface{}) ([]byte, error) {
 	pub, ok := raw.(*ecdsa.PublicKey)
 	if !ok {
@@ -66,12 +69,15 @@ func KeyId(raw interface{}) ([]byte, error) {
 
 	// This is not standard; RFC allows any unique identifier as long as they
 	// match in subject/authority chains but suggests specific hashing of DER
-	// bytes of public key including DER tags. I can't be bothered to do esp.
-	// since ECDSA keys don't have a handy way to marshal the publick key alone.
-	h := sha256.New()
-	h.Write(pub.X.Bytes())
-	h.Write(pub.Y.Bytes())
-	return h.Sum([]byte{}), nil
+	// bytes of public key including DER tags.
+	bs, err := x509.MarshalPKIXPublicKey(pub)
+	if err != nil {
+		return nil, err
+	}
+
+	// String formatted
+	kID := sha256.Sum256(bs)
+	return []byte(strings.Replace(fmt.Sprintf("% x", kID), " ", ":", -1)), nil
 }
 
 // HexString returns a standard colon-separated hex value for the input