diff --git a/base.yml b/base.yml
index ebe5324..9f9df55 100644
--- a/base.yml
+++ b/base.yml
@@ -4,6 +4,7 @@
   - base
   - role: ssh-host-certs
     tags: ssh-host-certs
+  - ssh-user-ca
 - hosts: kvm-guest
   roles:
   - serial-console
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 85ce756..47a761d 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -1,4 +1,6 @@
 sshca_url: https://sshca.pyrocufflink.blue
+ssh_trusted_user_ca_keys: >-
+  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyi18IfxAf9wLnyffnMrThYpqxVwu0rsuiLoqW6rcwF sshca.pyrocufflink.blue
 
 certbot_account_email: dustin@hatch.name
 smtp:
diff --git a/roles/ssh-user-ca/defaults/main.yml b/roles/ssh-user-ca/defaults/main.yml
new file mode 100644
index 0000000..7f9738d
--- /dev/null
+++ b/roles/ssh-user-ca/defaults/main.yml
@@ -0,0 +1 @@
+ssh_trusted_user_ca_keys: ''
diff --git a/roles/ssh-user-ca/files/trustedusercakeys.conf b/roles/ssh-user-ca/files/trustedusercakeys.conf
new file mode 100644
index 0000000..6b31833
--- /dev/null
+++ b/roles/ssh-user-ca/files/trustedusercakeys.conf
@@ -0,0 +1 @@
+TrustedUserCAKeys /etc/ssh/ca.pub
diff --git a/roles/ssh-user-ca/tasks/main.yml b/roles/ssh-user-ca/tasks/main.yml
new file mode 100644
index 0000000..e1aae42
--- /dev/null
+++ b/roles/ssh-user-ca/tasks/main.yml
@@ -0,0 +1,24 @@
+- name: ensure sshd is configured to trust user ca keys
+  copy:
+    src:  trustedusercakeys.conf
+    dest: /etc/ssh/sshd_config.d/70-trustedusercakeys.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload sshd
+  tags:
+  - ssh-user-ca
+  - sshd-config
+  - config
+
+- name: ensure ssh trusted user ca list is set
+  copy:
+    dest: /etc/ssh/ca.pub
+    content: >+
+      {{ ssh_trusted_user_ca_keys }}
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - ssh-user-ca