diff --git a/doc/vault/setup.md b/doc/vault/setup.md
index f2a956e..42e079e 100644
--- a/doc/vault/setup.md
+++ b/doc/vault/setup.md
@@ -84,3 +84,40 @@
 
 ## get the certmanager approle id
     vault read -field=role_id auth/approle/role/certmanager/role-id
+
+
+# SSH Hostkey Signing
+
+## create ssh engine, key, set ttl
+    vault secrets enable -path=ssh-host-signer ssh
+    vault write ssh-host-signer/config/ca generate_signing_key=true
+    vault secrets tune -max-lease-ttl=87600h ssh-host-signer
+
+## create role
+    vault write ssh-host-signer/roles/hostrole \
+        key_type=ca \
+        algorithm_signer=rsa-sha2-256 \
+        ttl=87600h \
+        allow_host_certificates=true \
+        allowed_domains="unkin.net" \
+        allow_subdomains=true \
+        allow_baredomains=true
+
+## create policy to use hostrole
+    cat <<EOF > sshsign-host.hcl
+    path "ssh-host-signer/sign/hostrole" {
+        capabilities = ["create", "update"]
+    }
+    EOF
+
+    vault policy write sshsign-host-policy sshsign-host.hcl
+
+    vault write auth/approle/role/sshsign-host-role \
+        bind_secret_id=false \
+        token_policies="sshsign-host-policy" \
+        token_ttl=30s \
+        token_max_ttl=30s \
+        token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"
+
+## get the sshsign-host-role approle id
+    vault read -field=role_id auth/approle/role/sshsign-host-role/role-id