diff --git a/modules/programs/step-client.nix b/modules/programs/step-client.nix
index 16310e6..0cc3873 100644
--- a/modules/programs/step-client.nix
+++ b/modules/programs/step-client.nix
@@ -82,6 +82,9 @@ in
   flake.modules.homeManager.step-client = { config, pkgs, lib, ... }:
   let
     cfg = config.step-client;
+    firstPrincipal = lib.head cfg.principals;
+    principalArgs = lib.concatMapStrings
+      (principal: "--principal ${principal}") cfg.principals;
   in
   {
     options.step-client = {
@@ -110,6 +113,14 @@ in
         type = lib.types.str;
         default = "admin";
       };
+      principals = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+      };
+      publicKeyFile = lib.mkOption {
+        type = lib.types.str;
+        default = "${config.home.homeDirectory}/.ssh/id_ed25519.pub";
+      };
     };
     config = lib.mkIf cfg.enable {
       home.file.".step/certs/root_ca.crt".source = cfg.rootCertFile;
@@ -118,6 +129,17 @@ in
         fingerprint = cfg.fingerprint;
         root = "${cfg.rootCertFile.path}";
       };
+      sops.secrets."janus/admin_jwk".mode = "0400";
+      home.packages = lib.optionals cfg.certificates.enable [
+        (pkgs.writeShellScriptBin "sign-ssh-cert" ''
+          ${lib.getExe pkgs.step-cli} ssh certificate \
+          --sign \ 
+          ${principalArgs} \
+          --provisioner "${cfg.sshHostProvisioner}" \
+          --provisioner-password-file "${config.sops.secrets."janus/admin_jwk".path}" \
+          "${firstPrincipal}" "${cfg.publicKeyFile}"
+        '')
+      ];
     };
   };
 }
diff --git a/modules/services/ssh.nix b/modules/services/ssh.nix
index c295cba..8ebad84 100644
--- a/modules/services/ssh.nix
+++ b/modules/services/ssh.nix
@@ -45,6 +45,10 @@ in
           certAuthority = true;
           publicKey = sshHostCAPubKey;
         };
+        "*.john-stream.com" = {
+          certAuthority = true;
+          publicKey = sshHostCAPubKey;
+        };
       };
     };
   };
@@ -85,23 +89,6 @@ in
       provisionerPasswordPath = config.sops.secrets."janus/admin_jwk".path;
       sshHostProvisioner = config.step-client.sshHostProvisioner;
     in {
-      sops.secrets."janus/admin_jwk" = {
-        mode = "0400";
-      };
-
-      home.packages = lib.optionals cfg.certificates.enable [
-        (pkgs.writeShellScriptBin "sign-ssh-cert" ''
-          ${lib.getExe pkgs.step-cli} ssh certificate \
-          --sign \
-          --principal ${userName} \
-          --principal root \
-          --principal appdaemon \
-          --provisioner "${sshHostProvisioner}" \
-          --provisioner-password-file "${provisionerPasswordPath}" \
-          ${userName} ${publicKeyFile}
-        '')
-      ];
-
       home.file.".ssh/known_hosts" = {
         text = lib.concatStringsSep "\n" (
           [