diff --git a/hieradata/nodes/ausyd1nxvm1036.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1036.main.unkin.net.yaml
index 1f56e70..e496390 100644
--- a/hieradata/nodes/ausyd1nxvm1036.main.unkin.net.yaml
+++ b/hieradata/nodes/ausyd1nxvm1036.main.unkin.net.yaml
@@ -5,6 +5,12 @@ profiles::puppet::server::dns_alt_names:
   - puppetca.query.consul
   - puppetca
 
+profiles::ssh::sign::principals:
+  - puppetca.main.unkin.net
+  - puppetca.service.consul
+  - puppetca.query.consul
+  - puppetca
+
 profiles::puppet::puppetca::is_puppetca: true
 profiles::puppet::puppetca::allow_subject_alt_names: true
 networking::interfaces:
diff --git a/hieradata/roles/infra/git/gitea.yaml b/hieradata/roles/infra/git/gitea.yaml
index 6cd45fc..ec84020 100644
--- a/hieradata/roles/infra/git/gitea.yaml
+++ b/hieradata/roles/infra/git/gitea.yaml
@@ -6,6 +6,11 @@ profiles::pki::vault::alt_names:
   - git.query.consul
   - "git.service.%{facts.country}-%{facts.region}.consul"
 
+profiles::ssh::sign::principals:
+  - git.main.unkin.net
+  - git.service.consul
+  - git.query.consul
+
 consul::services:
   git:
     service_name: 'git'
diff --git a/hieradata/roles/infra/puppet/master.yaml b/hieradata/roles/infra/puppet/master.yaml
index 374a5ac..562fbfb 100644
--- a/hieradata/roles/infra/puppet/master.yaml
+++ b/hieradata/roles/infra/puppet/master.yaml
@@ -58,6 +58,10 @@ profiles::puppet::server::dns_alt_names:
   - puppetmaster
   - puppet
 
+profiles::ssh::sign::principals:
+  - puppet.service.consul
+  - puppet.query.consul
+
 consul::services:
   puppet:
     service_name: 'puppet'