diff --git a/src/bin/generate-keypairs.ts b/src/bin/generate-keypairs.ts
index 3413162d..e818af10 100644
--- a/src/bin/generate-keypairs.ts
+++ b/src/bin/generate-keypairs.ts
@@ -61,6 +61,12 @@ async function main(): Promise<void> {
     subjectPublicKey: initialSessionKeyPair.publicKey,
     validityEndDate: sessionCertEndDate,
   });
+  // Force the certificate to have the serial number specified in ENDPOINT_KEY_ID. This nasty
+  // hack won't be necessary once https://github.com/relaycorp/relaynet-pong/issues/26 is done.
+  // tslint:disable-next-line:no-object-mutation
+  (initialKeyCertificate as any).pkijsCertificate.serialNumber.valueBlock.valueHex = bufferToArray(
+    endpointKeyId,
+  );
   await sessionStore.saveInitialSessionKey(initialSessionKeyPair.privateKey, initialKeyCertificate);
 
   console.log(