diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index d7d7820..03f630d 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -48,6 +48,7 @@
     - pki
     - psacct
     - sshd
+    - sshd_cert
     - node_exporter
   loop_control:
     loop_var: role
diff --git a/roles/sshd_cert/meta/main.yml b/roles/sshd_cert/meta/main.yml
new file mode 100644
index 0000000..bc03e65
--- /dev/null
+++ b/roles/sshd_cert/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - {role: sshd}
diff --git a/roles/sshd_cert/tasks/main.yml b/roles/sshd_cert/tasks/main.yml
new file mode 100644
index 0000000..4852748
--- /dev/null
+++ b/roles/sshd_cert/tasks/main.yml
@@ -0,0 +1,43 @@
+---
+- name: Copy public key for signing
+  ansible.builtin.fetch:
+    src: /etc/ssh/ssh_host_ed25519_key.pub
+    dest: "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub"
+    flat: true
+
+- name: Sign key
+  ansible.builtin.command:
+    argv:
+      - ssh-keygen
+      - -s
+      - /srv/sshca/ca/ca
+      - -I
+      - "{{ inventory_hostname }}"
+      - -h
+      - -n
+      - "{{ inventory_hostname }}"
+      - -V
+      - -1h:+365d
+      - -z
+      - "{{ ansible_date_time.epoch }}"
+      - "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub"
+    creates: "/srv/sshca/pubkeys/{{ inventory_hostname }}-cert.pub"
+  delegate_to: localhost
+
+- name: Install certificate
+  ansible.builtin.copy:
+    dest: /etc/ssh/ssh_host_ed25519_key-cert.pub
+    src: "/srv/sshca/pubkeys/{{ inventory_hostname }}-cert.pub"
+    mode: "0644"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: Restart sshd
+
+- name: Enable host certificate
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    line: HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
+    regexp: "^(# )?HostCertificate .*"
+    insertafter: "^HostKey .*"
+    validate: "sshd -t -f %s"
+  notify: Restart sshd