diff --git a/base.yml b/base.yml
index 2e44e1e..ebe5324 100644
--- a/base.yml
+++ b/base.yml
@@ -2,6 +2,8 @@
 - hosts: all
   roles:
   - base
+  - role: ssh-host-certs
+    tags: ssh-host-certs
 - hosts: kvm-guest
   roles:
   - serial-console
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 3c98b13..85ce756 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -1,3 +1,5 @@
+sshca_url: https://sshca.pyrocufflink.blue
+
 certbot_account_email: dustin@hatch.name
 smtp:
   mode: relay
diff --git a/roles/ssh-host-certs/defaults/main.yml b/roles/ssh-host-certs/defaults/main.yml
new file mode 100644
index 0000000..646cb9d
--- /dev/null
+++ b/roles/ssh-host-certs/defaults/main.yml
@@ -0,0 +1,4 @@
+ssh_host_certs:
+- /etc/ssh/ssh_host_ed25519_key-cert.pub
+- /etc/ssh/ssh_host_rsa_key-cert.pub
+- /etc/ssh/ssh_host_ecdsa_key-cert.pub
diff --git a/roles/ssh-host-certs/handlers/main.yml b/roles/ssh-host-certs/handlers/main.yml
new file mode 100644
index 0000000..d481a8e
--- /dev/null
+++ b/roles/ssh-host-certs/handlers/main.yml
@@ -0,0 +1,9 @@
+- name: restart ssh-host-certs.target
+  systemd:
+    name: ssh-host-certs.target
+    state: started
+
+- name: reload sshd
+  service:
+    name: sshd
+    state: reloaded
diff --git a/roles/ssh-host-certs/meta/main.yml b/roles/ssh-host-certs/meta/main.yml
new file mode 100644
index 0000000..592bdcd
--- /dev/null
+++ b/roles/ssh-host-certs/meta/main.yml
@@ -0,0 +1,3 @@
+dependencies:
+- role: dch-yum
+  tags: dch-yum
diff --git a/roles/ssh-host-certs/tasks/main.yml b/roles/ssh-host-certs/tasks/main.yml
new file mode 100644
index 0000000..e91b39b
--- /dev/null
+++ b/roles/ssh-host-certs/tasks/main.yml
@@ -0,0 +1,41 @@
+- name: ensure sshca-cli-systemd is installed
+  package:
+    name: sshca-cli-systemd
+    state: present
+  notify:
+  - restart ssh-host-certs.target
+  tags:
+  - install
+
+- name: ensure ssh-host-cert-sign is configured
+  template:
+    src: ssh-host-cert-sign.env.j2
+    dest: /etc/sysconfig/ssh-host-cert-sign
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - restart ssh-host-certs.target
+  tags:
+  - config
+
+- name: ensure ssh-host-certs-renew.timer is enabled
+  systemd:
+    name: ssh-host-certs-renew.timer
+    enabled: true
+    state: started
+  tags:
+  - service
+
+- name: ensure sshd is configured to use host certificates
+  template:
+    src: hostcertificate.conf.j2
+    dest: /etc/ssh/sshd_config.d/10-hostcertificate.conf
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  notify:
+  - reload sshd
+  tags:
+  - config
+  - sshd_config
diff --git a/roles/ssh-host-certs/templates/hostcertificate.conf.j2 b/roles/ssh-host-certs/templates/hostcertificate.conf.j2
new file mode 100644
index 0000000..1d8359c
--- /dev/null
+++ b/roles/ssh-host-certs/templates/hostcertificate.conf.j2
@@ -0,0 +1,5 @@
+{% if ssh_host_certs|d(none) %}
+{% for cert in ssh_host_certs | sort %}
+HostCertificate {{ cert }}
+{% endfor %}
+{% endif %}
diff --git a/roles/ssh-host-certs/templates/ssh-host-cert-sign.env.j2 b/roles/ssh-host-certs/templates/ssh-host-cert-sign.env.j2
new file mode 100644
index 0000000..defbba2
--- /dev/null
+++ b/roles/ssh-host-certs/templates/ssh-host-cert-sign.env.j2
@@ -0,0 +1 @@
+SSHCA_SERVER={{ sshca_url }}