diff --git a/builtin/logical/ssh/path_sign.go b/builtin/logical/ssh/path_sign.go
index a64edfa2d..f3c83f765 100644
--- a/builtin/logical/ssh/path_sign.go
+++ b/builtin/logical/ssh/path_sign.go
@@ -9,6 +9,7 @@ import (
 	"crypto/sha256"
 	"errors"
 	"fmt"
+	"io"
 	"strconv"
 	"strings"
 	"time"
@@ -484,10 +485,27 @@ func (b *creationBundle) sign() (retCert *ssh.Certificate, retErr error) {
 		},
 	}

-	err = certificate.SignCert(rand.Reader, b.Signer)
+	sshAlgorithmSigner, _ := b.Signer.(ssh.AlgorithmSigner)
+
+	// prepare certificate for signing
+	certificate.Nonce = make([]byte, 32)
+	if _, err := io.ReadFull(rand.Reader, certificate.Nonce); err != nil {
+		return nil, fmt.Errorf("failed to generate signed SSH key")
+	}
+	certificate.SignatureKey = sshAlgorithmSigner.PublicKey()
+
+	// get bytes to sign
+	c2 := *certificate
+	c2.Signature = nil
+	out := c2.Marshal()
+	certificateBytes := out[:len(out)-4]
+
+	// sign with rsa-sha2-256
+	sig, err := sshAlgorithmSigner.SignWithAlgorithm(rand.Reader, certificateBytes, ssh.SigAlgoRSASHA2256)
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate signed SSH key")
 	}
+	certificate.Signature = sig

 	return certificate, nil
 }