diff --git a/g10/ChangeLog b/g10/ChangeLog
index ab6de78e5..0153c29ce 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,5 +1,9 @@
 2004-10-10  David Shaw  <dshaw@jabberwocky.com>
 
+	* keygen.c (do_add_key_flags): The spec says that all primary keys
+	MUST be able to certify.  Force the certify flag on for primaries
+	(and off for subkeys).
+
 	* keygen.c (generate_keypair): Fix generating keys with the auth
 	flag.
 
diff --git a/g10/keygen.c b/g10/keygen.c
index 62ac28f1f..82ac11383 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -185,13 +185,13 @@ do_add_key_flags (PKT_signature *sig, unsigned int use)
         return;
 
     buf[0] = 0;
+
+    /* The spec says that all primary keys MUST be able to certify. */
+    if(sig->sig_class!=0x18)
+      buf[0] |= 0x01;
+
     if (use & PUBKEY_USAGE_SIG)
-      {
-	if(sig->sig_class==0x18)
-	  buf[0] |= 0x02; /* Don't set the certify flag for subkeys */
-	else
-	  buf[0] |= 0x01 | 0x02;
-      }
+      buf[0] |= 0x02;
     if (use & PUBKEY_USAGE_ENC)
         buf[0] |= 0x04 | 0x08;
     if (use & PUBKEY_USAGE_AUTH)