diff --git a/modules/programs/step-client.nix b/modules/programs/step-client.nix
index 6a5b7b0..d0787e0 100644
--- a/modules/programs/step-client.nix
+++ b/modules/programs/step-client.nix
@@ -66,6 +66,9 @@ in
           --principal "${cfg.hostname}.john-stream.com" \
           "${cfg.hostname}" "${sshKeyPath}.pub"
         '')
+        (writeShellScriptBin "ssh-host-cert-check" ''
+          ssh-keygen -Lf ${sshCertPath}
+        '')
       ];
       networking.nameservers = [ "192.168.1.150" ];
       networking.dhcpcd.extraConfig = "nohook resolv.conf";