diff --git a/readme-vars.yml b/readme-vars.yml
index 7435245..475a552 100644
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -36,6 +36,11 @@ opt_param_env_vars:
   - {env_var: "USER_PASSWORD_FILE", env_value: "/path/to/file", desc: "Optionally specify a file that contains the password. This setting supersedes the `USER_PASSWORD` option (works with docker secrets)."}
   - {env_var: "USER_NAME", env_value: "linuxserver.io", desc: "Optionally specify a user name (Default:`linuxserver.io`)"}
   - {env_var: "LOG_STDOUT", env_value: "", desc: "Set to `true` to log to stdout instead of file."}
+  - {env_var: "TRUSTED_USER_CA_KEYS", env_value: "", desc: "Optionally trusted user CA keys, which will automatically be added to trusted user CA keys."}
+  - {env_var: "TRUSTED_USER_CA_KEYS_FILE", env_value: "/path/to/file", desc: "Optionally specify a file containing the trusted user CA keys (works with docker secrets)."}
+  - {env_var: "AUTHORIZED_PRINCIPALS", env_value: "", desc: "Optionally specify a list of authorized principals. space separated list."}
+  - {env_var: "AUTHORIZED_PRINCIPALS_FILE", env_value: "/path/to/file", desc: "Optionally specify a file containing a list of authorized principals."}
+  - {env_var: "ADD_DEFAULT_USER_TO_AUTHORIZED_PRINCIPALS", env_value: "false", desc: "Set to `true` to add the default user to the list of authorized principals."}
 readonly_supported: false
 nonroot_supported: false
 # application setup block
@@ -115,6 +120,7 @@ init_diagram: |
   "openssh-server:latest" <- Base Images
 # changelog
 changelogs:
+  - {date: "12.02.25:", desc: "Add support for trusted user CA keys"}
   - {date: "10.02.25:", desc: "Add support for sshd_config.d"}
   - {date: "12.01.25:", desc: "Rebase to Alpine 3.21."}
   - {date: "24.11.24:", desc: "Move sshd_config to /config/sshd/sshd_config."}
diff --git a/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run b/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run
index 1f24239..d883ec9 100755
--- a/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run
@@ -128,6 +128,64 @@ if [[ -d "$PUBLIC_KEY_DIR" ]]; then
     done
 fi
 
+# set trusted user CA keys
+if [[ -n "$TRUSTED_USER_CA_KEYS" ]]; then
+    touch /config/.ssh/trusted_user_ca_keys
+    if ! grep -q "${TRUSTED_USER_CA_KEYS}" /config/.ssh/trusted_user_ca_keys; then
+        echo "$TRUSTED_USER_CA_KEYS" >> /config/.ssh/trusted_user_ca_keys
+        echo "Trusted user CA keys added"
+    fi
+fi
+
+if [[ -n "$TRUSTED_USER_CA_KEYS_FILE" ]] && [[ -f "$TRUSTED_USER_CA_KEYS_FILE" ]]; then
+    touch /config/.ssh/trusted_user_ca_keys
+    TRUSTED_USER_CA_KEYS2=$(cat "$TRUSTED_USER_CA_KEYS_FILE")
+    if ! grep -q "$TRUSTED_USER_CA_KEYS2" /config/.ssh/trusted_user_ca_keys; then
+        echo "$TRUSTED_USER_CA_KEYS2" >> /config/.ssh/trusted_user_ca_keys
+        echo "Trusted user CA keys from file added"
+    fi
+fi
+
+if [[ -f /config/.ssh/trusted_user_ca_keys ]]; then
+    if ! grep -q "^TrustedUserCAKeys" /etc/ssh/sshd_config; then
+        echo "TrustedUserCAKeys /config/.ssh/trusted_user_ca_keys" >> /etc/ssh/sshd_config
+    else
+        sed -i '/^#TrustedUserCAKeys/c\TrustedUserCAKeys /config/.ssh/trusted_user_ca_keys' /etc/ssh/sshd_config
+        sed -i '/^TrustedUserCAKeys/c\TrustedUserCAKeys /config/.ssh/trusted_user_ca_keys' /etc/ssh/sshd_config
+    fi
+fi
+
+# set authorized principals
+if [[ -n "$AUTHORIZED_PRINCIPALS" ]]; then
+    touch /config/.ssh/authorized_principals
+
+    for principal in $AUTHORIZED_PRINCIPALS; do
+        echo "$principal" >> /config/.ssh/authorized_principals
+        echo "add $principal Authorized principals added"
+    done
+fi
+
+if [[ -n "$AUTHORIZED_PRINCIPALS_FILE" ]] && [[ -f "$AUTHORIZED_PRINCIPALS_FILE" ]]; then
+    touch /config/.ssh/authorized_principals
+    cat $AUTHORIZED_PRINCIPALS_FILE >> /config/.ssh/authorized_principals
+    echo "Authorized principals from file added"
+fi
+
+if [[ "$ADD_DEFAULT_USER_TO_AUTHORIZED_PRINCIPALS" == "true" ]]; then
+    touch /config/.ssh/authorized_principals
+    echo "$USER_NAME" > /config/.ssh/authorized_principals
+    echo "$USER_NAME added to Authorized principals"
+fi
+
+if [[ -f /config/.ssh/authorized_principals ]]; then
+    if ! grep -q "^AuthorizedPrincipalsFile" /etc/ssh/sshd_config; then
+        echo "AuthorizedPrincipalsFile /config/.ssh/authorized_principals" >> /etc/ssh/sshd_config
+    else
+        sed -i '/^#AuthorizedPrincipalsFile/c\AuthorizedPrincipalsFile /config/.ssh/authorized_principals' /etc/ssh/sshd_config
+        sed -i '/^AuthorizedPrincipalsFile/c\AuthorizedPrincipalsFile /config/.ssh/authorized_principals' /etc/ssh/sshd_config
+    fi
+fi
+
 # back up old log files processed by logrotate
 if [[ -f /config/logs/openssh/openssh.log ]]; then
     mv /config/logs/openssh /config/logs/openssh.old.logs