From 6705bab1fe4e70005dfa427a9b41a096e73b3a7d Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Sun, 4 Jan 2026 09:46:42 -0600
Subject: [PATCH] readme updates

---
 README.md | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 600046d..306d1a9 100644
--- a/README.md
+++ b/README.md
@@ -23,10 +23,14 @@ step ca init --ssh --acme
 Use step-ca to sign an existing public key to produce a signed certificate with some principals on it.
 
 ```
+export IP_ADDRESS=$(ip -4 addr show dev eth0 | awk '/inet /{print $2}' | cut -d/ -f1) && \
+export HOSTNAME=$(hostname -s) && \
 step ssh certificate --host --sign \
---principal janus --principal janus.john-stream.com \
+--principal "$HOSTNAME" \
+--principal "$HOSTNAME.john-stream.com" \
+--principal "$IP_ADDRESS" \
 --provisioner admin \
-janus /etc/ssh/ssh_host_ed25519_key.pub
+"$HOSTNAME" /etc/ssh/ssh_host_ed25519_key.pub
 ```
 
 Get the (public) cert for the CA that signs the user SSH certs from step-ca.
@@ -51,9 +55,18 @@ systemctl reload sshd
 
 ### Client
 
+Trust certs that are signed by Janus:
+
+```
+(umask 022; cat <<EOF > ~/.ssh/known_hosts
+@cert-authority *.john-stream.com,192.168.1.* $(step ssh config --host --roots)
+EOF
+)
+```
+
 ```
 step ssh certificate --sign \
 --principal root --principal john \
 --provisioner admin \
-john@john-pc-ubuntu ~/.ssh/id_ed25519.pub
+john ~/.ssh/id_ed25519.pub
 ```