diff --git a/clanModules/sshd/roles/server.nix b/clanModules/sshd/roles/server.nix
index c66e21acd..22aacae6f 100644
--- a/clanModules/sshd/roles/server.nix
+++ b/clanModules/sshd/roles/server.nix
@@ -9,15 +9,13 @@ let
 
   domains = stringSet config.clan.sshd.certificate.searchDomains;
 
-  signArgs = builtins.concatStringsSep " " (
-    builtins.map (
-      domain: "-n ${lib.escapeShellArg "${config.clan.core.machineName}.${domain}"}"
-    ) domains
-  );
   cfg = config.clan.sshd;
 in
 {
   imports = [ ../shared.nix ];
+  options = {
+    clan.sshd.hostKeys.rsa.enable = lib.mkEnableOption "Generate RSA host key";
+  };
   config = {
     services.openssh = {
       enable = true;
@@ -27,12 +25,17 @@ in
         cfg.certificate.searchDomains != [ ]
       ) config.clan.core.vars.generators.openssh-cert.files."ssh.id_ed25519-cert.pub".path;
 
-      hostKeys = [
-        {
-          path = config.clan.core.vars.generators.openssh.files."ssh.id_ed25519".path;
-          type = "ed25519";
-        }
-      ];
+      hostKeys =
+        [
+          {
+            path = config.clan.core.vars.generators.openssh.files."ssh.id_ed25519".path;
+            type = "ed25519";
+          }
+        ]
+        ++ lib.optional cfg.hostKeys.rsa.enable {
+          path = config.clan.core.vars.generators.openssh-rsa.files."ssh.id_rsa".path;
+          type = "rsa";
+        };
     };
     clan.core.vars.generators.openssh = {
       files."ssh.id_ed25519" = { };
@@ -47,6 +50,19 @@ in
       '';
     };
 
+    clan.core.vars.generators.openssh-rsa = lib.mkIf config.clan.sshd.hostKeys.rsa.enable {
+      files."ssh.id_rsa" = { };
+      files."ssh.id_rsa.pub".secret = false;
+      migrateFact = "openssh";
+      runtimeInputs = [
+        pkgs.coreutils
+        pkgs.openssh
+      ];
+      script = ''
+        ssh-keygen -t rsa -b 4096 -N "" -f $out/ssh.id_rsa
+      '';
+    };
+
     clan.core.vars.generators.openssh-cert = lib.mkIf (cfg.certificate.searchDomains != [ ]) {
       files."ssh.id_ed25519-cert.pub".secret = false;
       dependencies = [
@@ -65,7 +81,8 @@ in
         ssh-keygen \
           -s $in/openssh-ca/id_ed25519 \
           -I ${config.clan.core.machineName} \
-          ${builtins.toString signArgs} \
+          -h \
+          -n ${lib.concatMapStringsSep "," (d: "${config.clan.core.machineName}.${d}") domains} \
           $in/openssh/ssh.id_ed25519.pub
         mv $in/openssh/ssh.id_ed25519-cert.pub $out/ssh.id_ed25519-cert.pub
       '';