diff --git a/cmd/ceremony/key.go b/cmd/ceremony/key.go
index 2315a2081..f3210c75d 100644
--- a/cmd/ceremony/key.go
+++ b/cmd/ceremony/key.go
@@ -57,12 +57,12 @@ func generateKey(session *pkcs11helpers.Session, label string, outputPath string
 	var keyID []byte
 	switch config.Type {
 	case "rsa":
-		pubKey, keyID, err = rsaGenerate(session, label, config.RSAModLength)
+		pubKey, keyID, err = rsaGenerate(session, label, config.RSAModLength, config.Extractable)
 		if err != nil {
 			return nil, fmt.Errorf("failed to generate RSA key pair: %w", err)
 		}
 	case "ecdsa":
-		pubKey, keyID, err = ecGenerate(session, label, config.ECDSACurve)
+		pubKey, keyID, err = ecGenerate(session, label, config.ECDSACurve, config.Extractable)
 		if err != nil {
 			return nil, fmt.Errorf("failed to generate ECDSA key pair: %w", err)
 		}