diff --git a/cmd/vcert/cmdCloudKeystores.go b/cmd/vcert/cmdCloudKeystores.go
index 6eae7e79..37eaf65e 100644
--- a/cmd/vcert/cmdCloudKeystores.go
+++ b/cmd/vcert/cmdCloudKeystores.go
@@ -79,7 +79,7 @@ func doCommandProvisionCloudKeystore(c *cli.Context) error {
 	}
 	switch metadata.CloudKeystoreType {
 	case domain.CloudKeystoreTypeACM:
-		result.ARN = metadata.ARN
+		result.ARN = metadata.CertificateID
 	case domain.CloudKeystoreTypeAKV:
 		result.AzureID = metadata.CertificateID
 		result.AzureName = metadata.CertificateName
diff --git a/cmd/vcert/utils.go b/cmd/vcert/utils.go
index abe674b5..7ea35373 100644
--- a/cmd/vcert/utils.go
+++ b/cmd/vcert/utils.go
@@ -621,7 +621,7 @@ func randRunes(n int) string {
 func fillProvisioningRequest(req *domain.ProvisioningRequest, keystore domain.CloudKeystore, cf *commandFlags) (*domain.ProvisioningRequest, *domain.ProvisioningOptions) {
 	req.CertificateID = cleanEmptyStringPointer(cf.certificateID)
 	req.Keystore = &keystore
-	req.PickupID = &(cf.pickupID)
+	req.PickupID = &(cf.provisionPickupID)
 
 	if cf.keystoreCertName == "" {
 		return req, nil
diff --git a/examples/provisionWithCertificateRequest/main.go b/examples/provisionWithCertificateRequest/main.go
index ccaf4aee..5802f0d0 100644
--- a/examples/provisionWithCertificateRequest/main.go
+++ b/examples/provisionWithCertificateRequest/main.go
@@ -89,7 +89,7 @@ func main() {
 
 	// Example to get values from other keystores machine identities metadata
 	if certMetaData.CloudKeystoreType == domain.CloudKeystoreTypeACM {
-		log.Printf("Certificate AWS Metadata ARN:\n%v", certMetaData.ARN)
+		log.Printf("Certificate AWS Metadata ARN:\n%v", certMetaData.CertificateID)
 	}
 	if certMetaData.CloudKeystoreType == domain.CloudKeystoreTypeAKV {
 		log.Printf("Certificate Azure Metadata ID:\n%v", certMetaData.CertificateID)
diff --git a/examples/provisionWithServiceAccount/main.go b/examples/provisionWithServiceAccount/main.go
index fc538b50..027ca57b 100644
--- a/examples/provisionWithServiceAccount/main.go
+++ b/examples/provisionWithServiceAccount/main.go
@@ -103,7 +103,7 @@ func main() {
 
 	// Example to get values from other keystores machine identities metadata
 	if certMetaData.CloudKeystoreType == domain.CloudKeystoreTypeACM {
-		log.Printf("Certificate AWS Metadata ARN:\n%v", certMetaData.ARN)
+		log.Printf("Certificate AWS Metadata ARN:\n%v", certMetaData.CertificateID)
 	}
 	if certMetaData.CloudKeystoreType == domain.CloudKeystoreTypeAKV {
 		log.Printf("Certificate Azure Metadata ID:\n%v", certMetaData.CertificateID)
diff --git a/pkg/domain/provisioning.go b/pkg/domain/provisioning.go
index 628e374b..1e344081 100644
--- a/pkg/domain/provisioning.go
+++ b/pkg/domain/provisioning.go
@@ -17,7 +17,6 @@ type ProvisioningRequest struct {
 
 type ProvisioningMetadata struct {
 	CloudKeystoreType         CloudKeystoreType
-	ARN                       string
 	CertificateID             string
 	CertificateName           string
 	CertificateVersion        string
diff --git a/pkg/venafi/cloud/cloudproviders.go b/pkg/venafi/cloud/cloudproviders.go
index 9b3690c7..44185ba3 100644
--- a/pkg/venafi/cloud/cloudproviders.go
+++ b/pkg/venafi/cloud/cloudproviders.go
@@ -18,7 +18,6 @@ import (
 )
 
 type CloudKeystoreProvisioningResult struct {
-	Arn                        string `json:"arn"`
 	CloudProviderCertificateID string `json:"cloudProviderCertificateId"`
 	CloudCertificateName       string `json:"cloudProviderCertificateName"`
 	CloudCertificateVersion    string `json:"cloudProviderCertificateVersion"`
@@ -133,7 +132,7 @@ func (c *Connector) ProvisionCertificate(req *domain.ProvisioningRequest, option
 
 	// parsing metadata from websocket response
 	log.Printf("Getting Cloud Metadata of Certificate ID %s and Keystore ID: %s", certificateIDString, cloudKeystore.ID)
-	cloudMetadata, err := getCloudMetadataFromWebsocketResponse(workflowResponse.Data.Result)
+	cloudMetadata, err := getCloudMetadataFromWebsocketResponse(workflowResponse.Data.Result, cloudKeystore.Type)
 	if err != nil {
 		return nil, err
 	}
@@ -201,9 +200,24 @@ func (c *Connector) ProvisionCertificateToMachineIdentity(req domain.Provisionin
 		return nil, err
 	}
 
+	keystoreType := domain.CloudKeystoreTypeUnknown
+	if req.Keystore == nil {
+		log.Printf("fetching machine identity to get type")
+		machineIdentity, err := c.cloudProvidersClient.GetMachineIdentity(ctx, domain.GetCloudMachineIdentityRequest{
+			MachineIdentityID: req.MachineIdentityID,
+		})
+		if err != nil {
+			return nil, fmt.Errorf("failed to get machine identity: %w", err)
+		}
+		log.Printf("successfully fetched machine identity")
+		keystoreType = machineIdentity.Metadata.GetKeystoreType()
+	} else {
+		keystoreType = req.Keystore.Type
+	}
+
 	// parsing metadata from websocket response
 	log.Printf("Getting Cloud Metadata of Machine Identity with ID: %s", machineIdentityID)
-	cloudMetadata, err := getCloudMetadataFromWebsocketResponse(ar.Data.Result)
+	cloudMetadata, err := getCloudMetadataFromWebsocketResponse(ar.Data.Result, keystoreType)
 	if err != nil {
 		return nil, err
 	}
@@ -329,7 +343,7 @@ func (c *Connector) getGraphqlHTTPClient() *http.Client {
 	return httpclient
 }
 
-func getCloudMetadataFromWebsocketResponse(resultMap interface{}) (*domain.ProvisioningMetadata, error) {
+func getCloudMetadataFromWebsocketResponse(resultMap interface{}, keystoreType domain.CloudKeystoreType) (*domain.ProvisioningMetadata, error) {
 
 	result := CloudKeystoreProvisioningResult{}
 	resultBytes, err := json.Marshal(resultMap)
@@ -348,8 +362,7 @@ func getCloudMetadataFromWebsocketResponse(resultMap interface{}) (*domain.Provi
 	}
 
 	cloudMetadata := &domain.ProvisioningMetadata{
-		CloudKeystoreType:         domain.CloudKeystoreTypeUnknown,
-		ARN:                       result.Arn,
+		CloudKeystoreType:         keystoreType,
 		CertificateID:             result.CloudProviderCertificateID,
 		CertificateName:           result.CloudCertificateName,
 		CertificateVersion:        result.CloudCertificateVersion,
@@ -357,16 +370,5 @@ func getCloudMetadataFromWebsocketResponse(resultMap interface{}) (*domain.Provi
 		MachineIdentityActionType: result.MachineIdentityActionType,
 	}
 
-	// Only ACM returns an ARN value
-	if result.Arn != "" {
-		cloudMetadata.CloudKeystoreType = domain.CloudKeystoreTypeACM
-	} else if result.CloudCertificateVersion != "" {
-		// Only Azure returns a certificate version value
-		cloudMetadata.CloudKeystoreType = domain.CloudKeystoreTypeAKV
-	} else {
-		// No ARN and no certificate version, default to GCM
-		cloudMetadata.CloudKeystoreType = domain.CloudKeystoreTypeGCM
-	}
-
 	return cloudMetadata, err
 }