diff --git a/lib/csr.js b/lib/csr.js
index 89609e2..3eb75cd 100644
--- a/lib/csr.js
+++ b/lib/csr.js
@@ -110,15 +110,12 @@ CSR._sign = function csrEcSig(jwk, request) {
 
 CSR._toDer = function encode(opts) {
   var sty;
-  var sig;
   if (/^EC/i.test(opts.kty)) {
     // 1.2.840.10045.4.3.2 ecdsaWithSHA256 (ANSI X9.62 ECDSA algorithm with SHA256)
     sty = ASN1('30', ASN1('06', '2a8648ce3d040302'));
-    sig = ASN1.BitStr(ASN1('30', Enc.bufToHex(opts.signature)));
   } else {
     // 1.2.840.113549.1.1.11 sha256WithRSAEncryption (PKCS #1)
     sty = ASN1('30', ASN1('06', '2a864886f70d01010b'), ASN1('05'));
-    sig = ASN1.BitStr(Enc.bufToHex(opts.signature));
   }
   return ASN1('30'
     // The Full CSR Request Body
@@ -126,7 +123,7 @@ CSR._toDer = function encode(opts) {
     // The Signature Type
   , sty
     // The Signature
-  , sig
+  , ASN1.BitStr(Enc.bufToHex(opts.signature))
   );
 };
 
diff --git a/lib/keypairs.js b/lib/keypairs.js
index 2e423f9..f81bc14 100644
--- a/lib/keypairs.js
+++ b/lib/keypairs.js
@@ -219,10 +219,12 @@ Keypairs._sign = function (opts, payload) {
     ).then(function (signature) {
       signature = new Uint8Array(signature); // ArrayBuffer -> u8
       // This will come back into play for CSRs, but not for JOSE
-      if ('EC' === opts.jwk.kty && /x509/i.test(opts.format)) {
-        signature = Keypairs._ecdsaJoseSigToAsn1Sig(signature);
+      if ('EC' === opts.jwk.kty && /x509|asn1/i.test(opts.format)) {
+        return Keypairs._ecdsaJoseSigToAsn1Sig(signature);
+      } else {
+        // jose/jws/jwt
+        return signature;
       }
-      return signature;
     });
   });
 };
@@ -298,7 +300,7 @@ Keypairs._ecdsaJoseSigToAsn1Sig = function (bufsig) {
   if (len >= 0x80) { head.push(0x81); }
   head.push(len);
 
-  return Uint8Array.from(head.concat([0x02, r.length], r, [0x02, s.byteLength], s));
+  return Uint8Array.from(head.concat([0x02, r.length], r, [0x02, s.length], s));
 };
 
 function setTime(time) {