diff --git a/ca/certificates.go b/ca/certificates.go
index 49ea63dd24..edf26ac1ec 100644
--- a/ca/certificates.go
+++ b/ca/certificates.go
@@ -754,7 +754,7 @@ func GetRemoteCA(ctx context.Context, d digest.Digest, connBroker *connectionbro
 		io.Copy(verifier, bytes.NewReader(response.Certificate))
 
 		if !verifier.Verified() {
-			return RootCA{}, errors.Errorf("remote CA does not match fingerprint. Expected: %s", d.Hex())
+			return RootCA{}, errors.Errorf("remote CA does not match fingerprint. Expected: %s", d.Encoded())
 		}
 	}
 
diff --git a/ca/config.go b/ca/config.go
index f70052bc59..45b84a43d8 100644
--- a/ca/config.go
+++ b/ca/config.go
@@ -367,16 +367,16 @@ func GenerateJoinToken(rootCA *RootCA, fips bool) string {
 		panic(fmt.Errorf("failed to read random bytes: %v", err))
 	}
 
-	var nn, digest big.Int
+	var nn, dgst big.Int
 	nn.SetBytes(secretBytes[:])
-	digest.SetString(rootCA.Digest.Hex(), 16)
+	dgst.SetString(rootCA.Digest.Encoded(), 16)
 
 	fmtString := "SWMTKN-1-%0[1]*s-%0[3]*s"
 	if fips {
 		fmtString = "SWMTKN-2-1-%0[1]*s-%0[3]*s"
 	}
 	return fmt.Sprintf(fmtString, base36DigestLen,
-		digest.Text(joinTokenBase), maxGeneratedSecretLength, nn.Text(joinTokenBase))
+		dgst.Text(joinTokenBase), maxGeneratedSecretLength, nn.Text(joinTokenBase))
 }
 
 // DownloadRootCA tries to retrieve a remote root CA and matches the digest against the provided token.