diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index e691506a95..1b8ed5d781 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -129,6 +129,9 @@
   - selinux
   - base
 
+- name: Set up SSH certificates
+  include: sshcerts.yml
+
 - name: sshd_config
   copy: src={{ item }} dest=/etc/ssh/sshd_config mode=0600
   with_first_found:
diff --git a/roles/base/tasks/sshcerts.yml b/roles/base/tasks/sshcerts.yml
new file mode 100644
index 0000000000..d22af0cc2c
--- /dev/null
+++ b/roles/base/tasks/sshcerts.yml
@@ -0,0 +1,114 @@
+- name: Determine SSH keys generated by this machine
+  find: paths=/etc/ssh
+        file_type=file
+      patterns="ssh_host_*_key"
+  register: ssh_key_files
+  when: "env == 'staging'"
+  tags:
+  - sshd_config
+  - config
+  - sshd
+  - base
+
+- name: Determine SSH keys never signed
+  stat: path="{{item.path}}-cert.pub"
+  with_items: "{{ssh_key_files.files}}"
+  register: ssh_cert_files
+  when: "env == 'staging'"
+  tags:
+  - sshd_config
+  - config
+  - sshd
+  - base
+
+- name: Set lists of certs to sign to empty
+  set_fact:
+    certs_to_sign: "[]"
+  when: "env == 'staging'"
+  tags:
+  - sshd_config
+  - config
+  - sshd
+  - base
+
+- name: Set list of certs to sign
+  set_fact:
+    certs_to_sign: "{{certs_to_sign}} + [ '{{item.item.path}}' ]"
+  with_items: "{{ssh_cert_files.results}}"
+  when: "env == 'staging' and not item.stat.exists"
+  tags:
+  - sshd_config
+  - config
+  - sshd
+  - base
+
+# TODO: Get expired certificates, and add them to certs_to_sign
+
+- name: Create directory for storing pubkeys
+  command: "mktemp -d --suffix=sshkeysign"
+  delegate_to: "batcave01.phx2.fedoraproject.org"
+  run_once: true
+  register: pubkeydirout
+  when: "env == 'staging' and {{certs_to_sign}} != []"
+  tags:
+  - sshd_config
+  - config
+  - sshd
+  - base
+
+- set_fact:
+    pubkeydir: "{{pubkeydirout.stdout}}"
+  when: "env == 'staging' and {{certs_to_sign}} != []"
+  tags:
+  - sshd_config
+  - config
+  - sshd
+  - base
+
+- name: Get public keys for certs to sign
+  fetch: src="{{item}}.pub"
+         dest="{{pubkeydir}}"
+         fail_on_missing=true
+  with_items: "{{certs_to_sign}}"
+  when: "env == 'staging'"
+  tags:
+  - sshd_config
+  - config
+  - sshd
+  - base
+
+- name: Set some extra signing facts
+  set_fact:
+    sign_hostnames: "{{inventory_hostname}}"
+    sign_validity: "-1h:+2w"
+  when: "env == 'staging'"
+  tags:
+  - sshd_config
+  - config
+  - sshd
+  - base
+
+# Currently, we use the epoch as serial. That's unique enough for now
+- name: Sign the certificates
+  command: "ssh-keygen -s {{private}}/files/ssh/staging_ca_host_key -I {{inventory_hostname}} -h -n {{ sign_hostnames }} -V {{sign_validity}} -z {{ansible_date_time.epoch}} {{pubkeydir}}/{{inventory_hostname}}{{item}}.pub"
+  delegate_to: "batcave01.phx2.fedoraproject.org"
+  with_items: "{{certs_to_sign}}"
+  when: "env == 'staging'"
+  tags:
+  - sshd_config
+  - config
+  - sshd
+  - base
+
+- name: Copy the certificates
+  copy: src="{{pubkeydir}}/{{inventory_hostname}}{{item}}-cert.pub"
+        dest="{{item}}-cert.pub"
+  with_items: "{{certs_to_sign}}"
+  when: "env == 'staging'"
+  notify:
+  - restart sshd
+  tags:
+  - sshd_config
+  - config
+  - sshd
+  - base