diff --git a/ssh2kex-client.c b/ssh2kex-client.c
index c4d9c02d..740c0829 100644
--- a/ssh2kex-client.c
+++ b/ssh2kex-client.c
@@ -836,6 +836,9 @@ void ssh2kex_coroutine(struct ssh2_transport_state *s)
             s->hostkey_str = s->keystr;
             s->keystr = NULL;
         } else if (s->cross_certifying) {
+            assert(s->hkey);
+            assert(ssh_key_alg(s->hkey) == s->cross_certifying);
+
             s->fingerprint = ssh2_fingerprint(s->hkey);
             ppl_logevent(("Storing additional host key for this host:"));
             ppl_logevent(("%s", s->fingerprint));
@@ -843,7 +846,6 @@ void ssh2kex_coroutine(struct ssh2_transport_state *s)
             s->fingerprint = NULL;
             store_host_key(s->savedhost, s->savedport,
                            ssh_key_cache_id(s->hkey), s->keystr);
-            s->cross_certifying = false;
             /*
              * Don't forget to store the new key as the one we'll be
              * re-checking in future normal rekeys.
@@ -857,6 +859,7 @@ void ssh2kex_coroutine(struct ssh2_transport_state *s)
              * enforce that the key we're seeing this time is identical to
              * the one we saw before.
              */
+            assert(s->keystr);         /* filled in by prior key exchange */
             if (strcmp(s->hostkey_str, s->keystr)) {
 #ifndef FUZZING
                 ssh_sw_abort(s->ppl.ssh,
diff --git a/ssh2transport.c b/ssh2transport.c
index 8ecd9204..e02205fd 100644
--- a/ssh2transport.c
+++ b/ssh2transport.c
@@ -1856,8 +1856,7 @@ static void ssh2_transport_special_cmd(PacketProtocolLayer *ppl,
 	}
     } else if (code == SS_XCERT) {
 	if (!s->kex_in_progress) {
-            s->hostkey_alg = ssh2_hostkey_algs[arg].alg;
-            s->cross_certifying = true;
+            s->cross_certifying = s->hostkey_alg = ssh2_hostkey_algs[arg].alg;
             s->rekey_reason = "cross-certifying new host key";
             s->rekey_class = RK_NORMAL;
             queue_idempotent_callback(&s->ppl.ic_process_queue);
diff --git a/ssh2transport.h b/ssh2transport.h
index de6a6fe1..11414bc4 100644
--- a/ssh2transport.h
+++ b/ssh2transport.h
@@ -204,10 +204,12 @@ struct ssh2_transport_state {
     int n_uncert_hostkeys;
 
     /*
-     * Flag indicating that the current rekey is intended to finish
-     * with a newly cross-certified host key.
+     * Indicate that the current rekey is intended to finish with a
+     * newly cross-certified host key. To double-check that we
+     * certified the right one, we set this to point to the host key
+     * algorithm we expect it to be.
      */
-    bool cross_certifying;
+    const ssh_keyalg *cross_certifying;
 
     ssh_key *const *hostkeys;
     int nhostkeys;