diff --git a/base/ca/shared/conf/caCert.profile b/base/ca/shared/conf/caCert.profile
index b9d9eff7d63..c3b06d179b3 100644
--- a/base/ca/shared/conf/caCert.profile
+++ b/base/ca/shared/conf/caCert.profile
@@ -6,7 +6,7 @@ name=All Purpose CA Profile
 description=This profile creates a CA certificate that is valid for all signing purposes.
 profileIDMapping=caCACert
 profileSetIDMapping=caCertSet
-list=2,4,5,6,7
+list=2,7,4,5,6
 2.default.class=com.netscape.cms.profile.def.CAValidityDefault
 2.default.name=CA Certificate Validity Default
 2.default.params.range=7305
diff --git a/base/ca/shared/profiles/ca/caCACert.cfg b/base/ca/shared/profiles/ca/caCACert.cfg
index 8fd7d3361c8..2cab591c393 100644
--- a/base/ca/shared/profiles/ca/caCACert.cfg
+++ b/base/ca/shared/profiles/ca/caCACert.cfg
@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl
 output.list=o1
 output.o1.class_id=certOutputImpl
 policyset.list=caCertSet
-policyset.caCertSet.list=1,2,3,4,5,6,8,9,10
+policyset.caCertSet.list=1,2,3,8,4,5,6,9,10
 policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl
 policyset.caCertSet.1.constraint.name=Subject Name Constraint
 policyset.caCertSet.1.constraint.params.pattern=CN=.*
diff --git a/base/ca/shared/profiles/ca/caCMCcaCert.cfg b/base/ca/shared/profiles/ca/caCMCcaCert.cfg
index 8480a98b7cc..42feeb5b31b 100644
--- a/base/ca/shared/profiles/ca/caCMCcaCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCcaCert.cfg
@@ -10,7 +10,7 @@ input.i1.class_id=cmcCertReqInputImpl
 output.list=o1
 output.o1.class_id=certOutputImpl
 policyset.list=caCertSet
-policyset.caCertSet.list=1,2,3,4,5,6,8,9,10
+policyset.caCertSet.list=1,2,3,8,4,5,6,9,10
 policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl
 policyset.caCertSet.1.constraint.name=Subject Name Constraint
 policyset.caCertSet.1.constraint.params.pattern=CN=.*
diff --git a/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg b/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg
index 4324e3303d2..9d107bd4f0f 100644
--- a/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg
+++ b/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg
@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl
 output.list=o1
 output.o1.class_id=certOutputImpl
 policyset.list=caCertSet
-policyset.caCertSet.list=1,2,3,4,5,6,8,9,10
+policyset.caCertSet.list=1,2,3,8,4,5,6,9,10
 policyset.caCertSet.1.constraint.class_id=userSubjectNameConstraintImpl
 policyset.caCertSet.1.constraint.name=User Subject Name Constraint
 policyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl
diff --git a/base/ca/shared/profiles/ca/caInstallCACert.cfg b/base/ca/shared/profiles/ca/caInstallCACert.cfg
index 451c31e227f..8c3cf2a1209 100644
--- a/base/ca/shared/profiles/ca/caInstallCACert.cfg
+++ b/base/ca/shared/profiles/ca/caInstallCACert.cfg
@@ -11,7 +11,7 @@ input.i2.class_id=submitterInfoInputImpl
 output.list=o1
 output.o1.class_id=certOutputImpl
 policyset.list=caCertSet
-policyset.caCertSet.list=1,2,3,4,5,6,8,9,10
+policyset.caCertSet.list=1,2,3,8,4,5,6,9,10
 policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl
 policyset.caCertSet.1.constraint.name=Subject Name Constraint
 policyset.caCertSet.1.constraint.params.pattern=CN=.*
diff --git a/base/ca/src/main/java/com/netscape/cms/profile/def/CAEnrollDefault.java b/base/ca/src/main/java/com/netscape/cms/profile/def/CAEnrollDefault.java
index ec02380bbf5..d70d4aabb9d 100644
--- a/base/ca/src/main/java/com/netscape/cms/profile/def/CAEnrollDefault.java
+++ b/base/ca/src/main/java/com/netscape/cms/profile/def/CAEnrollDefault.java
@@ -47,12 +47,26 @@ public CAEnrollDefault() {
     }
 
     public KeyIdentifier getKeyIdentifier(X509CertInfo info) {
+        return getKeyIdentifier(info, "SHA-1");
+    }
+    public KeyIdentifier getKeyIdentifier(X509CertInfo info, String messageDigest) {
         String method = "CAEnrollDefault: getKeyIdentifier: ";
         try {
+            /*
+             * The SKI must be placed before the AKI in the enrollment profile
+             * for this to work properly
+             */
+            SubjectKeyIdentifierExtension ext = (SubjectKeyIdentifierExtension) getExtension(PKIXExtensions.SubjectKey_Id.toString(), info);
+            if (ext != null) {
+                logger.debug(method + "found SubjectKey_Id extension");
+                KeyIdentifier kid = (KeyIdentifier) ext.get(SubjectKeyIdentifierExtension.KEY_ID);
+                return kid;
+            }
+            // ski not found, calculate the ski
             CertificateX509Key ckey = (CertificateX509Key)
                     info.get(X509CertInfo.KEY);
             X509Key key = (X509Key) ckey.get(CertificateX509Key.KEY);
-            byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey());
+            byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey(), messageDigest);
             if (hash == null) {
                 logger.warn(method + "CryptoUtil.generateKeyIdentifier returns null");
                 return null;
@@ -85,14 +99,20 @@ public KeyIdentifier getCAKeyIdentifier(ICertificateAuthority ca) throws EBaseEx
                         SubjectKeyIdentifierExtension.KEY_ID);
                 return keyId;
             } catch (IOException e) {
+                logger.warn(method + e.toString());
+                return null;
             }
         }
+        logger.warn(method + "SubjectKeyIdentifierExtension not found in CA signing cert. Returning null");
+            return null;
 
+        /* SubjectKeyIdentifierExtension has to exist in a CA signing cert
         byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey());
         if (hash == null) {
             logger.warn(method + "CryptoUtil.generateKeyIdentifier returns null");
             return null;
         }
         return new KeyIdentifier(hash);
+        */
     }
 }