diff --git a/misc/sshca.py b/misc/sshca.py
new file mode 100644
index 00000000..eefc54f6
--- /dev/null
+++ b/misc/sshca.py
@@ -0,0 +1,23 @@
+#!/usr/bin/python
+
+import confluent.collective.manager as collective
+import eventlet.green.subprocess as subprocess
+import os
+
+def initialize_ca():
+    try:
+        os.makedirs('/etc/confluent/ssh', mode=0o600)
+    except OSError as e:
+        if e.errno != 17:
+            raise
+    caname = '{0} SSH CA'.format(collective.get_myname())
+    subprocess.check_call(['ssh-keygen', '-C', caname, '-t', 'ecdsa', '-f', '/etc/confluent/ssh/ca', '-N', ''])
+
+
+def ca_exists():
+    return os.path.exists('/etc/confluent/ssh/ca')
+
+
+if __name__ == '__main__':
+    if not ca_exists():
+        initialize_ca()
\ No newline at end of file