diff --git a/albatross.opam b/albatross.opam
index 9ee9d7c..6ff1986 100644
--- a/albatross.opam
+++ b/albatross.opam
@@ -20,7 +20,7 @@ depends: [
   "fmt"
   "astring"
   "jsonm"
-  "x509" {>= "0.10.0"}
+  "x509" {>= "0.11.0"}
   "tls" {>= "0.11.0"}
   "mirage-crypto-pk"
   "mirage-crypto-rng"
diff --git a/client/albatross_client_bistro.ml b/client/albatross_client_bistro.ml
index f416444..729d6fe 100644
--- a/client/albatross_client_bistro.ml
+++ b/client/albatross_client_bistro.ml
@@ -69,7 +69,10 @@ let handle (host, port) cert key ca id (cmd : Vmm_commands.t) =
       key_ids extensions Signing_request.((info csr).public_key) (`RSA capub)
     in
     let issuer = Certificate.subject cert in
-    match Signing_request.sign csr ~valid_from ~valid_until ~extensions key issuer with
+    match
+      Rresult.R.error_to_msg ~pp_error:X509.Validation.pp_signature_error
+        (Signing_request.sign csr ~valid_from ~valid_until ~extensions key issuer)
+    with
     | Error _ as e -> Lwt.return e
     | Ok mycert ->
       let certificates = `Single ([ mycert ; cert ], tmpkey) in
diff --git a/provision/albatross_provision.ml b/provision/albatross_provision.ml
index 747a4c9..b5548e5 100644
--- a/provision/albatross_provision.ml
+++ b/provision/albatross_provision.ml
@@ -52,7 +52,8 @@ let sign ?dbname ?certname extensions issuer key csr delta =
         let capub = `RSA (Mirage_crypto_pk.Rsa.pub_of_priv priv) in
         key_ids extensions X509.Signing_request.((info csr).public_key) capub
   in
-  X509.Signing_request.sign csr ~valid_from ~valid_until ~extensions key issuer >>= fun cert ->
+  Rresult.R.error_to_msg ~pp_error:X509.Validation.pp_signature_error
+    (X509.Signing_request.sign csr ~valid_from ~valid_until ~extensions key issuer) >>= fun cert ->
   (match dbname with
    | None -> Ok () (* no DB! *)
    | Some dbname ->