diff --git a/pki/helm.go b/pki/helm.go
index 2a8ac513..570fb04d 100644
--- a/pki/helm.go
+++ b/pki/helm.go
@@ -14,11 +14,9 @@ import (
 
 type helmVariables struct {
 	*linkedca.Configuration
-	Defaults *linkedca.Defaults
-	Password string
-	SSH      struct {
-		Enabled bool
-	}
+	Defaults     *linkedca.Defaults
+	Password     string
+	EnableSSH    bool
 	TLS          authconfig.TLSOptions
 	Provisioners []provisioner.Interface
 }
@@ -48,6 +46,7 @@ func (p *PKI) WriteHelmTemplate(w io.Writer) error {
 		Configuration: &p.Configuration,
 		Defaults:      &p.Defaults,
 		Password:      "",
+		EnableSSH:     p.options.enableSSH,
 		TLS:           authconfig.DefaultTLSOptions,
 		Provisioners:  provisioners,
 	}); err != nil {
@@ -67,7 +66,7 @@ inject:
         federateRoots: []
         crt: {{ .Intermediate }}
         key: {{ .IntermediateKey }}
-        {{- if .SSH.Enabled }}
+        {{- if .EnableSSH }}
         ssh:
           hostKey: {{ .Ssh.HostKey }}
           userKey: {{ .Ssh.UserKey }}
diff --git a/pki/pki.go b/pki/pki.go
index 1b6c83e7..fd625199 100644
--- a/pki/pki.go
+++ b/pki/pki.go
@@ -408,6 +408,15 @@ func (p *PKI) GenerateKeyPairs(pass []byte) error {
 		return err
 	}
 
+	var claims *linkedca.Claims
+	if p.options.enableSSH {
+		claims = &linkedca.Claims{
+			Ssh: &linkedca.SSHClaims{
+				Enabled: true,
+			},
+		}
+	}
+
 	// Add JWK provisioner to the configuration.
 	publicKey, err := json.Marshal(p.ottPublicKey)
 	if err != nil {
@@ -418,8 +427,9 @@ func (p *PKI) GenerateKeyPairs(pass []byte) error {
 		return errors.Wrap(err, "error serializing private key")
 	}
 	p.Authority.Provisioners = append(p.Authority.Provisioners, &linkedca.Provisioner{
-		Type: linkedca.Provisioner_JWK,
-		Name: p.options.provisioner,
+		Type:   linkedca.Provisioner_JWK,
+		Name:   p.options.provisioner,
+		Claims: claims,
 		Details: &linkedca.ProvisionerDetails{
 			Data: &linkedca.ProvisionerDetails_JWK{
 				JWK: &linkedca.JWKProvisioner{