diff --git a/acme/challenge.go b/acme/challenge.go
index b937f213..ad10232c 100644
--- a/acme/challenge.go
+++ b/acme/challenge.go
@@ -463,6 +463,15 @@ func wireDPOP01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
 		return NewErrorISE("missing provisioner")
 	}
 
+	jwk, ok = ctx.Value("jwk").(*jose.JSONWebKey)
+	if !ok || jwk == nil {
+		return storeError(ctx, db, ch, false, NewError(ErrorServerInternalType, "failed fetching the client JWK from context"))
+	}
+	kid, thumbprintErr := jwk.Thumbprint(crypto.SHA256)
+	if thumbprintErr != nil {
+		return storeError(ctx, db, ch, false, WrapError(ErrorServerInternalType, thumbprintErr, "failed to compute JWK thumbprint"))
+	}
+
 	dpopOptions := provisioner.GetOptions().GetDPOPOptions()
 	key := dpopOptions.GetSigningKey()
 
@@ -522,7 +531,9 @@ func wireDPOP01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
 		"--issuer",
 		issuer,
 		"--hash-algorithm",
-		`"SHA-256"`,
+		`SHA-256`,
+		"--kid",
+		string(kid),
 		"--key",
 		file.Name(),
 	)