diff --git a/client/keys.go b/client/keys.go
index d2f14f7a3e1afd28b52d70548e8bbc9734c1aa6b..a2f95e95e37df7ac419271fba383f1cd3f444dec 100644
--- a/client/keys.go
+++ b/client/keys.go
@@ -7,6 +7,7 @@ import (
 	"crypto/rsa"
 	"fmt"
 
+	"golang.org/x/crypto/ed25519"
 	"golang.org/x/crypto/ssh"
 )
 
@@ -15,11 +16,24 @@ type keyfunc func(int) (key, ssh.PublicKey, error)
 
 var (
 	keytypes = map[string]keyfunc{
-		"rsa":   generateRSAKey,
-		"ecdsa": generateECDSAKey,
+		"rsa":     generateRSAKey,
+		"ecdsa":   generateECDSAKey,
+		"ed25519": generateED25519Key,
 	}
 )
 
+func generateED25519Key(bits int) (key, ssh.PublicKey, error) {
+	p, k, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		return nil, nil, err
+	}
+	pub, err := ssh.NewPublicKey(p)
+	if err != nil {
+		return nil, nil, err
+	}
+	return k, pub, nil
+}
+
 func generateRSAKey(bits int) (key, ssh.PublicKey, error) {
 	k, err := rsa.GenerateKey(rand.Reader, bits)
 	if err != nil {
diff --git a/client/main.go b/client/main.go
index c5f28f9c309a4d4d570eca4679cc691bb2d54a35..1b35d28b9dd5b39a4e9e7897c7d63419c6c27ee3 100644
--- a/client/main.go
+++ b/client/main.go
@@ -21,7 +21,7 @@ var (
 	url      = flag.String("url", "http://localhost:10000/sign", "Signing URL")
 	keybits  = flag.Int("bits", 4096, "Key size")
 	validity = flag.Duration("validity", time.Hour*24, "Key validity")
-	keytype  = flag.String("key_type", "rsa", "Type of private key to generate - rsa or ecdsa")
+	keytype  = flag.String("key_type", "rsa", "Type of private key to generate - rsa, ecdsa or ed25519")
 )
 
 func installCert(a agent.Agent, cert *ssh.Certificate, key key) error {