diff --git a/common.go b/common.go
index c7c3503..68c955c 100644
--- a/common.go
+++ b/common.go
@@ -3,12 +3,12 @@ package crypto11
 import (
 	"C"
 	"encoding/asn1"
-	"encoding/base64"
+	"encoding/hex"
 	"errors"
 	"math/big"
 	"unsafe"
 
-	pkcs11 "github.com/miekg/pkcs11"
+	"github.com/miekg/pkcs11"
 )
 
 // ErrMalformedDER represents a failure to decode an ASN.1-encoded message
@@ -19,6 +19,8 @@ var ErrMalformedDER = errors.New("crypto11: malformed DER message")
 // string.
 var ErrMalformedSignature = errors.New("crypto11xo: malformed signature")
 
+const labelLength = 64
+
 func ulongToBytes(n uint) []byte {
 	return C.GoBytes(unsafe.Pointer(&n), C.sizeof_ulong) // ugh!
 }
@@ -98,8 +100,7 @@ func dsaGeneric(slot uint, key pkcs11.ObjectHandle, mechanism uint, digest []byt
 
 // Pick a random label for a key
 func generateKeyLabel() ([]byte, error) {
-	const labelSize = 32
-	rawLabel := make([]byte, labelSize)
+	rawLabel := make([]byte, labelLength / 2)
 	var rand PKCS11RandReader
 	sz, err := rand.Read(rawLabel)
 	if err != nil {
@@ -108,7 +109,7 @@ func generateKeyLabel() ([]byte, error) {
 	if sz < len(rawLabel) {
 		return nil, ErrCannotGetRandomData
 	}
-	label := make([]byte, 2*labelSize)
-	base64.URLEncoding.Encode(label, rawLabel)
+	label := make([]byte, labelLength)
+	hex.Encode(label, rawLabel)
 	return label, nil
 }
diff --git a/common_test.go b/common_test.go
new file mode 100644
index 0000000..0c56825
--- /dev/null
+++ b/common_test.go
@@ -0,0 +1,20 @@
+package crypto11
+
+import (
+	"github.com/stretchr/testify/require"
+	"testing"
+)
+
+func TestGenerateKeyLabel(t *testing.T) {
+	_, err := ConfigureFromFile("config")
+	require.NoError(t, err)
+
+	for i :=0; i < 100; i++ {
+		label, err := generateKeyLabel()
+		require.NoError(t, err)
+		require.Len(t, label, labelLength)
+		for _, b := range label {
+			require.NotEqual(t, byte(0), b)
+		}
+	}
+}