diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java
index 063b1dc8..8bf76e83 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeyRingBuilder.java
@@ -38,6 +38,7 @@ import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPSecretKeyRing;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.PGPSignatureGenerator;
+import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator;
 import org.bouncycastle.openpgp.PGPSignatureSubpacketVector;
 import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
 import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
@@ -54,6 +55,7 @@ import org.pgpainless.key.generation.type.rsa.RsaLength;
 import org.pgpainless.key.util.UserId;
 import org.pgpainless.provider.ProviderFactory;
 import org.pgpainless.util.Passphrase;
+import org.pgpainless.util.SignatureSubpacketGeneratorUtil;
 
 public class KeyRingBuilder implements KeyRingBuilderInterface {
 
@@ -192,8 +194,7 @@ public class KeyRingBuilder implements KeyRingBuilderInterface {
     }
 
     private boolean hasCertifyOthersFlag(KeySpec keySpec) {
-        int flags = keySpec.getSubpackets().getKeyFlags();
-        return KeyFlag.hasKeyFlag(flags, KeyFlag.CERTIFY_OTHER);
+        return SignatureSubpacketGeneratorUtil.hasKeyFlag(KeyFlag.CERTIFY_OTHER, keySpec.getSubpacketGenerator());
     }
 
     private boolean keyIsCertificationCapable(KeySpec keySpec) {
@@ -267,7 +268,9 @@ public class KeyRingBuilder implements KeyRingBuilderInterface {
                 PGPKeyPair certKey = generateKeyPair(certKeySpec);
                 PGPContentSignerBuilder signer = buildContentSigner(certKey);
                 signatureGenerator = new PGPSignatureGenerator(signer);
-                PGPSignatureSubpacketVector hashedSubPackets = certKeySpec.getSubpackets();
+                PGPSignatureSubpacketGenerator hashedSubPacketGenerator = certKeySpec.getSubpacketGenerator();
+                hashedSubPacketGenerator.setPrimaryUserID(false, true);
+                PGPSignatureSubpacketVector hashedSubPackets = hashedSubPacketGenerator.generate();
 
                 // Generator which the user can get the key pair from
                 PGPKeyRingGenerator ringGenerator = buildRingGenerator(certKey, signer, hashedSubPackets);
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java
index 9fd8c2cc..60639849 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpec.java
@@ -46,6 +46,10 @@ public class KeySpec {
         return subpacketGenerator != null ? subpacketGenerator.generate() : null;
     }
 
+    PGPSignatureSubpacketGenerator getSubpacketGenerator() {
+        return subpacketGenerator;
+    }
+
     boolean isInheritedSubPackets() {
         return inheritedSubPackets;
     }
diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java
index 43e5e7d1..17f4c55f 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/generation/KeySpecBuilder.java
@@ -34,7 +34,6 @@ public class KeySpecBuilder implements KeySpecBuilderInterface {
 
     KeySpecBuilder(@Nonnull KeyType type) {
         this.type = type;
-        hashedSubPackets.setPrimaryUserID(false, true);
     }
 
     @Override
diff --git a/pgpainless-core/src/main/java/org/pgpainless/util/SignatureSubpacketGeneratorUtil.java b/pgpainless-core/src/main/java/org/pgpainless/util/SignatureSubpacketGeneratorUtil.java
index 560c217a..11b5e67a 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/util/SignatureSubpacketGeneratorUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/util/SignatureSubpacketGeneratorUtil.java
@@ -15,19 +15,32 @@
  */
 package org.pgpainless.util;
 
+import java.util.ArrayList;
 import java.util.Date;
-
+import java.util.List;
 import javax.annotation.Nonnull;
 
 import org.bouncycastle.bcpg.SignatureSubpacket;
 import org.bouncycastle.bcpg.SignatureSubpacketTags;
+import org.bouncycastle.bcpg.sig.KeyFlags;
 import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator;
+import org.pgpainless.algorithm.KeyFlag;
 
 /**
  * Utility class that helps dealing with BCs SignatureSubpacketGenerator class.
  */
 public class SignatureSubpacketGeneratorUtil {
 
+    public static <P extends SignatureSubpacket> List<P> getSubpacketsOfType(org.pgpainless.algorithm.SignatureSubpacket type,
+                                                               PGPSignatureSubpacketGenerator generator) {
+        SignatureSubpacket[] subpackets = generator.getSubpackets(type.getCode());
+        List<P> list = new ArrayList<>();
+        for (SignatureSubpacket p : subpackets) {
+            list.add((P) p);
+        }
+        return list;
+    }
+
     public static void removeAllPacketsOfType(org.pgpainless.algorithm.SignatureSubpacket subpacketType,
                                               PGPSignatureSubpacketGenerator subpacketGenerator) {
         removeAllPacketsOfType(subpacketType.getCode(), subpacketGenerator);
@@ -84,4 +97,12 @@ public class SignatureSubpacketGeneratorUtil {
         }
         return secondsToExpire;
     }
+
+    public static boolean hasKeyFlag(KeyFlag keyFlag, PGPSignatureSubpacketGenerator generator) {
+        List<KeyFlags> keyFlagPackets = getSubpacketsOfType(org.pgpainless.algorithm.SignatureSubpacket.keyFlags, generator);
+        if (keyFlagPackets.isEmpty()) {
+            return false;
+        }
+        return KeyFlag.hasKeyFlag(keyFlagPackets.get(0).getFlags(), keyFlag);
+    }
 }