diff --git a/ChangeLog b/ChangeLog
index 6073abbb8..66c3b6248 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,8 @@
  - (dtucker) [gss-serv-krb5.c] Fall back to krb5_cc_gen_new if the Kerberos
    implementation does not have krb5_cc_new_unique, similar to what we do
    in auth-krb5.c.
+ - (djm) [regress/cert-hostkey.sh] Fix regress failure on platforms that
+   skip one or more key types (e.g. RHEL/CentOS 6.5); ok dtucker@
  - (djm) OpenBSD CVS Sync
    - djm@cvs.openbsd.org 2014/01/20 00:08:48
      [digest.c]
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 1ed5af501..a1318cd53 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -72,32 +72,10 @@ done
 	printf '@cert-authority '
 	printf "$HOSTS "
 	cat $OBJ/host_ca_key.pub
-	printf '@revoked '
-	printf "* "
-	cat $OBJ/cert_host_key_rsa.pub
-	if test "x$TEST_SSH_ECC" = "xyes"; then
-		printf '@revoked '
-		printf "* "
-		cat $OBJ/cert_host_key_ecdsa-sha2-nistp256.pub
-		printf '@revoked '
-		printf "* "
-		cat $OBJ/cert_host_key_ecdsa-sha2-nistp384.pub
-		printf '@revoked '
-		printf "* "
-		cat $OBJ/cert_host_key_ecdsa-sha2-nistp521.pub
-	fi
-	printf '@revoked '
-	printf "* "
-	cat $OBJ/cert_host_key_ed25519.pub
-	printf '@revoked '
-	printf "* "
-	cat $OBJ/cert_host_key_dsa.pub
-	printf '@revoked '
-	printf "* "
-	cat $OBJ/cert_host_key_rsa_v00.pub
-	printf '@revoked '
-	printf "* "
-	cat $OBJ/cert_host_key_dsa_v00.pub
+	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do
+		test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
+		printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
+	done
 ) > $OBJ/known_hosts-cert
 for privsep in yes no ; do
 	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do