diff --git a/signer.sh b/signer.sh
index 88b458c..947dc40 100755
--- a/signer.sh
+++ b/signer.sh
@@ -7,11 +7,26 @@ USER_CA_PRIV=${DIR_ETC}private/user/meutel_user_ca
 HOST_CONFIG_ROOT=${DIR_ETC}public/host/
 USER_CONFIG_ROOT=${DIR_ETC}public/user/
 
-TYPE=$1
-NAME=$2
-PRINCIPALS=$3
+# public key file
+PUBKEY=$1
+# certificate type: user/host
+TYPE=$2
+# config name
+NAME=$3
+# certificate validity duration
 VALIDITY=$4
-OPTS=$5
+# principals for user cert
+PRINCIPALS=$5
+# certificate options
+OPTS=$6
+
+check_pubkey()
+{
+	if [ ! -f $PUBKEY ]; then
+		echo "missing public key: $PUBKEY" >&2
+		exit 2
+	fi
+}
 
 check_ca_key()
 {
@@ -33,7 +48,6 @@ check_config()
 
 user_cert()
 {
-	echo "user certificate"
 	check_ca_key $USER_CA_PRIV
 	USER_CONFIG=${USER_CONFIG_ROOT}${NAME}
 	check_config $USER_CONFIG
@@ -45,21 +59,37 @@ user_cert()
 		echo "missing validity duration" >&2
 		exit 4
 	fi
-# ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]
-#                [-n principals] [-O option] [-V validity_interval]
-#                [-z serial_number] file ...
+  if ls $USER_CONFIG/*-cert.pub 2>/dev/null > /dev/null ; then
+    SERIAL=$(( $( ls $USER_CONFIG/*-cert.pub | wc -l ) + 1 ))
+  else
+    SERIAL=1
+  fi
+  TS=$( date '+%Y%m%d%H%M.%S' )
+  CERT_ID="Cert $NAME for $PRINCIPALS generated $TS"
+  USER_PUB_KEY="$USER_CONFIG/key-${TS}.pub"
+  # copy key
+  cp -f "$PUBKEY" "$USER_PUB_KEY"
 
-	ssh-keygen 
+  echo "Generate user certificate"
+  echo "  key: $PUBKEY"
+  echo "  serial: $SERIAL"
+  echo "  ID: $CERT_ID"
+  echo "  principals: $PRINCIPALS"
+  echo "  validity: $VALIDITY"
+
+	ssh-keygen -I "$CERT_ID" -s "$USER_CA_PRIV" -n "$PRINCIPALS" -O "$OPTS" -V "$VALIDITY" -z "$SERIAL" "$USER_PUB_KEY"
+  # TODO copy cert
+  # TODO displqy certificate
 }
 
 host_cert()
 {
-	echo "host certificate"
 	check_ca_key $HOST_CA_PRIV
 	HOST_CONFIG=${HOST_CONFIG_ROOT}${NAME}
 	check_config $HOST_CONFIG
 }
 
+check_pubkey
 case $TYPE in
 	"user")
 		user_cert