diff --git a/api/sign.go b/api/sign.go
index f7c3cc5a..c0c83ce2 100644
--- a/api/sign.go
+++ b/api/sign.go
@@ -88,6 +88,7 @@ func Sign(w http.ResponseWriter, r *http.Request) {
 	if len(certChainPEM) > 1 {
 		caPEM = certChainPEM[1]
 	}
+
 	LogCertificate(w, certChain[0])
 	render.JSONStatus(w, &SignResponse{
 		ServerPEM:    certChainPEM[0],
diff --git a/api/ssh.go b/api/ssh.go
index 273060d0..fbaa8c5a 100644
--- a/api/ssh.go
+++ b/api/ssh.go
@@ -337,6 +337,7 @@ func SSHSign(w http.ResponseWriter, r *http.Request) {
 		}
 		identityCertificate = certChainToPEM(certChain)
 	}
+
 	LogSSHCertificate(w, cert)
 	render.JSONStatus(w, &SSHSignResponse{
 		Certificate:         SSHCertificate{cert},
diff --git a/api/sshRekey.go b/api/sshRekey.go
index 6c0a5064..80fc6d87 100644
--- a/api/sshRekey.go
+++ b/api/sshRekey.go
@@ -89,6 +89,7 @@ func SSHRekey(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	LogSSHCertificate(w, newCert)
 	render.JSONStatus(w, &SSHRekeyResponse{
 		Certificate:         SSHCertificate{newCert},
 		IdentityCertificate: identity,
diff --git a/api/sshRenew.go b/api/sshRenew.go
index 4e4d0b04..cd6d9bde 100644
--- a/api/sshRenew.go
+++ b/api/sshRenew.go
@@ -81,6 +81,7 @@ func SSHRenew(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	LogSSHCertificate(w, newCert)
 	render.JSONStatus(w, &SSHSignResponse{
 		Certificate:         SSHCertificate{newCert},
 		IdentityCertificate: identity,