diff --git a/roles/sshca/files/genkey.sh b/roles/sshca/files/genkey.sh
new file mode 100755
index 0000000..29bd3ed
--- /dev/null
+++ b/roles/sshca/files/genkey.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+set -eu
+
+if [ $# -ne 1 ]; then
+    echo "Usage: $(basename "$0") <year>" 1>&2
+    exit
+fi
+
+cd /srv/sshca/ca
+
+year="$1"
+if [ "$year" -eq "$year" ] 2> /dev/null; then
+    if [ "$year" -lt "$(date +%Y)" ]; then
+        echo "ERROR: Invalid year \"${year}\", time in the past" 1>&2
+        exit 1
+    fi
+else
+    echo "ERROR: Invalid year \"${year}\"" 1>&2
+    exit 1
+fi
+
+if [ -f "ca.${year}" ]; then
+    echo "ERROR: Key \"${year}\" already exists" 1>&2
+    exit 1
+fi
+
+ssh-keygen -t ed25519 -f "/srv/sshca/ca/ca.${year}" -C "foo.sh - SSH CA ${year}"
diff --git a/roles/sshca/tasks/main.yml b/roles/sshca/tasks/main.yml
index 2a604b6..d55c742 100644
--- a/roles/sshca/tasks/main.yml
+++ b/roles/sshca/tasks/main.yml
@@ -27,6 +27,14 @@
     group: "{{ ansible_wheel }}"
     follow: false
 
+- name: Copy key generation script
+  ansible.builtin.copy:
+    dest: /srv/sshca/ca/genkey.sh
+    src: genkey.sh
+    mode: "0755"
+    owner: root
+    group: "{{ ansible_wheel }}"
+
 - name: Copy signing script
   ansible.builtin.copy:
     dest: /srv/sshca/signcert.sh