diff --git a/keys/ssh_user_ca.pub b/keys/ssh_user_ca.pub
new file mode 100644
index 0000000..30305af
--- /dev/null
+++ b/keys/ssh_user_ca.pub
@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNpgz9xYE3K+JeQ7vtDA07iWlp0xTXB+G8MBzX6/RluXs8E6v+ahx90M093EYIOImaW6npWQ0JnFtmZaet5l9Ao=
\ No newline at end of file
diff --git a/modules/programs/step-client.nix b/modules/programs/step-client.nix
index 1cb83c3..6a5b7b0 100644
--- a/modules/programs/step-client.nix
+++ b/modules/programs/step-client.nix
@@ -40,7 +40,7 @@ in
     imports = with inputs.self.modules.nixos; [ ssh ];
     # NixOS Config
     config = {
-      ssh.certificates = true;
+      ssh.certificates.enable = true;
       home-manager.sharedModules = with inputs.self.modules; [
         homeManager.step-client
       ];
diff --git a/modules/services/ssh.nix b/modules/services/ssh.nix
index b2a911f..bdf33b7 100644
--- a/modules/services/ssh.nix
+++ b/modules/services/ssh.nix
@@ -3,20 +3,43 @@ let
   userName = "john";
 in
 {
-  flake.modules.nixos.ssh = { pkgs, config, lib, ... }: {
-    options = {
-      ssh.certificates = lib.mkEnableOption "Enable SSH certificates";
+  flake.modules.nixos.ssh = { pkgs, config, lib, ... }:
+  let
+    cfg = config.ssh;
+  in
+  {
+    options.ssh = {
+      certificates = {
+        enable = lib.mkEnableOption "Enable SSH certificates";
+        userCA = lib.mkOption {
+          type = lib.types.path;
+          default = ../../keys/ssh_user_ca.pub;
+        };
+      };
     };
 
     config = {
       services.openssh = {
         enable = true;
         # require public key authentication for better security
-        settings.PasswordAuthentication = false;
-        settings.KbdInteractiveAuthentication = false;
+        settings = lib.mkMerge [
+          {
+            PasswordAuthentication = false;
+            KbdInteractiveAuthentication = false;
+          }
+          (lib.mkIf cfg.certificates.enable {
+            TrustedUserCAKeys = "/etc/ssh/ssh_user_ca.pub";
+            HostKey = "/etc/ssh/ssh_host_ed25519_key";
+            HostCertificate = "/etc/ssh/ssh_host_ed25519_key-cert.pub";
+          })
+        ];
       };
 
-      programs.ssh.knownHosts = lib.mkIf config.ssh.certificates {
+      environment.etc."ssh/ssh_user_ca.pub" = lib.mkIf cfg.certificates.enable {
+        source = cfg.certificates.userCA;
+      };
+
+      programs.ssh.knownHosts = lib.mkIf cfg.certificates.enable {
         "192.168.1.*" = { 
           certAuthority = true;
           publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNug18oLH0vZxnibXJzMJvTWFPZTnSlhCDDVi+rHhgnIum6ZXQ4SF+VHOOAM5BbzZmMKitNJ5lcrGP15Eur7DzQ=";