diff --git a/pki/pki.go b/pki/pki.go
index 1fab714d..56f3dbbd 100644
--- a/pki/pki.go
+++ b/pki/pki.go
@@ -403,6 +403,13 @@ func (p *PKI) GenerateConfig(opt ...Option) (*authority.Config, error) {
 		return nil, errors.Wrap(err, "error serializing private key")
 	}
 
+	prov := &provisioner.JWK{
+		Name:         p.provisioner,
+		Type:         "JWK",
+		Key:          p.ottPublicKey,
+		EncryptedKey: key,
+	}
+
 	config := &authority.Config{
 		Root:             []string{p.root},
 		FederatedRoots:   []string{},
@@ -417,9 +424,7 @@ func (p *PKI) GenerateConfig(opt ...Option) (*authority.Config, error) {
 		},
 		AuthorityConfig: &authority.AuthConfig{
 			DisableIssuedAtCheck: false,
-			Provisioners: provisioner.List{
-				&provisioner.JWK{Name: p.provisioner, Type: "jwk", Key: p.ottPublicKey, EncryptedKey: key},
-			},
+			Provisioners:         provisioner.List{prov},
 		},
 		TLS: &tlsutil.TLSOptions{
 			MinVersion:    x509util.DefaultTLSMinVersion,
@@ -429,10 +434,14 @@ func (p *PKI) GenerateConfig(opt ...Option) (*authority.Config, error) {
 		},
 	}
 	if p.enableSSH {
+		enableSSHCA := true
 		config.SSH = &authority.SSHConfig{
 			HostKey: p.sshHostKey,
 			UserKey: p.sshUserKey,
 		}
+		prov.Claims = &provisioner.Claims{
+			EnableSSHCA: &enableSSHCA,
+		}
 	}
 
 	// Apply configuration modifiers