diff --git a/client.c b/client.c
index 56ac1bd..89f3068 100644
--- a/client.c
+++ b/client.c
@@ -33,6 +33,7 @@
 
 #include "array.h"
 #include "candm.h"
+#include "cmac.h"
 #include "logging.h"
 #include "memory.h"
 #include "nameserv.h"
@@ -2852,28 +2853,39 @@ process_cmd_retries(const char *line)
 static int
 process_cmd_keygen(char *line)
 {
-  char hash_name[17];
   unsigned char key[512];
-  unsigned int i, length, id = 1, bits = 160;
+  char type[17];
+  unsigned int i, cmac_length, length, id = 1, bits = 160;
 
 #ifdef FEAT_SECHASH
-  snprintf(hash_name, sizeof (hash_name), "SHA1");
+  snprintf(type, sizeof (type), "SHA1");
 #else
-  snprintf(hash_name, sizeof (hash_name), "MD5");
+  snprintf(type, sizeof (type), "MD5");
 #endif
 
-  if (sscanf(line, "%u %16s %u", &id, hash_name, &bits))
+  if (sscanf(line, "%u %16s %u", &id, type, &bits))
     ;
 
-  length = CLAMP(10, (bits + 7) / 8, sizeof (key));
-  if (HSH_GetHashId(hash_name) < 0) {
-    LOG(LOGS_ERR, "Unknown hash function %s", hash_name);
+#ifdef HAVE_CMAC
+  cmac_length = CMC_GetKeyLength(type);
+#else
+  cmac_length = 0;
+#endif
+
+  if (HSH_GetHashId(type) >= 0) {
+    length = (bits + 7) / 8;
+  } else if (cmac_length > 0) {
+    length = cmac_length;
+  } else {
+    LOG(LOGS_ERR, "Unknown hash function or cipher %s", type);
     return 0;
   }
 
+  length = CLAMP(10, length, sizeof (key));
+
   UTI_GetRandomBytesUrandom(key, length);
 
-  printf("%u %s HEX:", id, hash_name);
+  printf("%u %s HEX:", id, type);
   for (i = 0; i < length; i++)
     printf("%02hhX", key[i]);
   printf("\n");
diff --git a/configure b/configure
index 8dbbc93..81422f6 100755
--- a/configure
+++ b/configure
@@ -886,6 +886,7 @@ if [ $feat_sechash = "1" ] && [ "x$HASH_LINK" = "x" ]  && [ $try_nettle = "1" ];
     then
       add_def HAVE_CMAC
       EXTRA_OBJECTS="$EXTRA_OBJECTS cmac_nettle.o"
+      EXTRA_CLI_OBJECTS="$EXTRA_CLI_OBJECTS cmac_nettle.o"
     fi
   fi
 fi
diff --git a/doc/chronyc.adoc b/doc/chronyc.adoc
index b80cc1c..2f96a27 100644
--- a/doc/chronyc.adoc
+++ b/doc/chronyc.adoc
@@ -1188,10 +1188,10 @@ generated from the _/dev/urandom_ device and it is printed to standard output.
 +
 The command has three optional arguments. The first argument is the key number
 (by default 1), which will be specified with the *key* option of the *server*
-or *peer* directives in the configuration file. The second argument is the hash
-function (by default SHA1 or MD5 if SHA1 is not available) and the third
-argument is the number of bits the key should have, between 80 and 4096 bits
-(by default 160 bits).
+or *peer* directives in the configuration file. The second argument is the name
+of the hash function or cipher (by default SHA1, or MD5 if SHA1 is not
+available). The third argument is the length of the key in bits if a hash
+function was selected, between 80 and 4096 bits (by default 160 bits).
 +
 An example is:
 +