diff --git a/modules/programs/step-client.nix b/modules/programs/step-client.nix
index a1c5038..16310e6 100644
--- a/modules/programs/step-client.nix
+++ b/modules/programs/step-client.nix
@@ -106,6 +106,10 @@ in
           default = ../../keys/root_ca.crt;
         };
       };
+      sshHostProvisioner = lib.mkOption {
+        type = lib.types.str;
+        default = "admin";
+      };
     };
     config = lib.mkIf cfg.enable {
       home.file.".step/certs/root_ca.crt".source = cfg.rootCertFile;
diff --git a/modules/services/ssh.nix b/modules/services/ssh.nix
index a973138..634eeec 100644
--- a/modules/services/ssh.nix
+++ b/modules/services/ssh.nix
@@ -51,6 +51,10 @@ in
 
   flake.modules.homeManager.ssh = { pkgs, config, lib, ... }:
   {
+    imports = with inputs.self.modules.homeManager; [
+      step-client
+    ];
+
     options.ssh = {
       IdentityFile = lib.mkOption {
         # Intentionally not using a path type here because that will end up with the private key getting copied into the store
@@ -78,16 +82,22 @@ in
       publicKeyFile = "${identityFile}.pub";
       certificateFile = "${identityFile}-cert.pub";
       userKnownHostsFile = "${config.home.homeDirectory}/.ssh/known_hosts";
+      provisionerPasswordPath = config.sops.secrets."janus/admin_jwk".path;
+      sshHostProvisioner = config.step-client.sshHostProvisioner;
     in {
-      home.packages = [
+      sops.secrets."janus/admin_jwk" = {
+        mode = "0400";
+      };
+
+      home.packages = lib.optionals cfg.certificates.enable [
         (pkgs.writeShellScriptBin "sign-ssh-cert" ''
-          echo "Signing ${publicKeyFile}"
-          echo "Copy the Step-CA JWK Provisioner password from 1password"
-          step ssh certificate --sign \
-          --principal root \
+          ${lib.getExe pkgs.step-cli} ssh certificate \
+          --sign \
           --principal ${userName} \
+          --principal root \
           --principal appdaemon \
-          --provisioner admin \
+          --provisioner "${sshHostProvisioner}" \
+          --provisioner-password-file "${provisionerPasswordPath}" \
           ${userName} ${publicKeyFile}
         '')
       ];
@@ -121,7 +131,7 @@ in
               inherit identityFile certificateFile;
 
               hashKnownHosts = false;
-              userKnownHostsFile = "${userKnownHostsFile}";
+              userKnownHostsFile = userKnownHostsFile;
 
               addKeysToAgent = "yes";
               forwardAgent = false;