diff --git a/bin/tests/system/keyfromlabel/tests.sh b/bin/tests/system/keyfromlabel/tests.sh
index 9764bf4606..0bbbe1be3b 100644
--- a/bin/tests/system/keyfromlabel/tests.sh
+++ b/bin/tests/system/keyfromlabel/tests.sh
@@ -22,7 +22,9 @@ keygen() {
 	zone="$3"
 	id="$4"
 
-	pkcs11-tool --module $SOFTHSM2_MODULE -l -k --key-type $type:$bits --label "${id}-${zone}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id || return 1
+	label="${id}-${zone}"
+	p11id=$(echo "${label}" | sha1sum - | awk '{print $1}')
+	pkcs11-tool --module $SOFTHSM2_MODULE -l -k --key-type $type:$bits --label "${label}" --id "${p11id//$'\n'/}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id || return 1
 }
 
 keyfromlabel() {
diff --git a/doc/arm/pkcs11.rst b/doc/arm/pkcs11.rst
index 690c1a0120..5132a3b229 100644
--- a/doc/arm/pkcs11.rst
+++ b/doc/arm/pkcs11.rst
@@ -145,7 +145,7 @@ We need to generate at least two RSA keys:
 ::
 
    pkcs11-tool --module <FULL_PATH_TO_HSM_MODULE> -l -k --key-type rsa:2048 --label example.net-ksk --pin <PIN>
-   pkcs11-tool --module <FULL_PATH_TO_HSM_MODULE> -l -k --key-type rsa:2048 --label example.net-ksk --pin <PIN>
+   pkcs11-tool --module <FULL_PATH_TO_HSM_MODULE> -l -k --key-type rsa:2048 --label example.net-zsk --pin <PIN>
 
 Remember that each key should have unique label and we are going to use that
 label to reference the private key.
@@ -197,6 +197,18 @@ The output should look like this (the second number will be different):
    Kexample.net.+008+42231.key
    Kexample.net.+008+42231.private
 
+A note on generating ECDSA keys: there is a bug in libp11 when looking up a key,
+that function compares keys only on their ID, not the label. So when looking up
+a key it returns the first key, rather than the matching key. The workaround for
+this is when creating ECDSA keys, you should specify a unique ID:
+
+::
+
+   ksk=$(echo "example.net-ksk" | sha1sum - | awk '{print $1}')
+   zsk=$(echo "example.net-zsk" | sha1sum - | awk '{print $1}')
+   pkcs11-tool --module <FULL_PATH_TO_HSM_MODULE> -l -k --key-type EC:prime256v1 --id $ksk --label example.net-ksk --pin <PIN>
+   pkcs11-tool --module <FULL_PATH_TO_HSM_MODULE> -l -k --key-type EC:prime256v1 --id $zsk --label example.net-zsk --pin <PIN>
+
 
 Specifying the Engine on the Command Line
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~