diff --git a/src/ca.rs b/src/ca.rs
index f95cc45..055bcf7 100644
--- a/src/ca.rs
+++ b/src/ca.rs
@@ -137,12 +137,38 @@ pub fn parse_public_key(data: &[u8]) -> Result<PublicKey, LoadKeyError> {
 /// This function creates a signed certificate for an SSH host public
 /// key.  The certificate will be valid for the specified hostname and
 /// any alias names provided.
-pub fn sign_cert(
+pub fn sign_host_cert(
     hostname: &str,
     pubkey: &PublicKey,
     duration: Duration,
     privkey: &PrivateKey,
     alias: &[&str],
+) -> Result<Certificate, CertError> {
+    sign_cert(hostname, pubkey, duration, privkey, alias, CertType::Host)
+}
+
+/// Create a signed SSH certificate for a user public key
+///
+/// This function creates a signed certificate for an SSH user public
+/// key.  The certificate will be valid for the specified username and
+/// any alias names provided.
+pub fn sign_user_cert(
+    username: &str,
+    pubkey: &PublicKey,
+    duration: Duration,
+    privkey: &PrivateKey,
+    alias: &[&str],
+) -> Result<Certificate, CertError> {
+    sign_cert(username, pubkey, duration, privkey, alias, CertType::User)
+}
+
+fn sign_cert(
+    principal: &str,
+    pubkey: &PublicKey,
+    duration: Duration,
+    privkey: &PrivateKey,
+    alias: &[&str],
+    cert_type: CertType,
 ) -> Result<Certificate, CertError> {
     let now = SystemTime::now();
     let not_before = now.duration_since(UNIX_EPOCH)?.as_secs();
@@ -151,8 +177,8 @@ pub fn sign_cert(
     let mut builder = Builder::new_with_random_nonce(
         &mut OsRng, pubkey, not_before, not_after,
     )?;
-    builder.cert_type(CertType::Host)?;
-    builder.valid_principal(hostname)?;
+    builder.cert_type(cert_type)?;
+    builder.valid_principal(principal)?;
     for a in alias {
         builder.valid_principal(*a)?;
     }
diff --git a/src/server/host.rs b/src/server/host.rs
index ba9cb83..7933818 100644
--- a/src/server/host.rs
+++ b/src/server/host.rs
@@ -211,7 +211,8 @@ pub(super) async fn sign_host_cert(
         pubkey.algorithm().as_str(),
         hostname
     );
-    let cert = ca::sign_cert(&hostname, &pubkey, duration, &privkey, &[])?;
+    let cert =
+        ca::sign_host_cert(&hostname, &pubkey, duration, &privkey, &[])?;
     info!(
         "Signed {} key for {}",
         pubkey.algorithm().as_str(),