diff --git a/api/api.go b/api/api.go
index ad8fbb98..9ea430c2 100644
--- a/api/api.go
+++ b/api/api.go
@@ -257,7 +257,7 @@ func (h *caHandler) Route(r Router) {
 	r.MethodFunc("POST", "/ssh/config", h.SSHConfig)
 	r.MethodFunc("POST", "/ssh/config/{type}", h.SSHConfig)
 	r.MethodFunc("POST", "/ssh/check-host", h.SSHCheckHost)
-	r.MethodFunc("POST", "/ssh/get-hosts", h.SSHGetHosts)
+	r.MethodFunc("GET", "/ssh/get-hosts", h.SSHGetHosts)
 
 	// For compatibility with old code:
 	r.MethodFunc("POST", "/re-sign", h.Renew)
diff --git a/ca/client.go b/ca/client.go
index 8cefe4c0..35e07758 100644
--- a/ca/client.go
+++ b/ca/client.go
@@ -611,9 +611,8 @@ func (c *Client) SSHCheckHost(principal string) (*api.SSHCheckPrincipalResponse,
 	return &check, nil
 }
 
-// SSHGetHostPrincipals performs the POST /ssh/check-host request to the CA with the
-// given principal.
-func (c *Client) SSHGetHostPrincipals() (*api.SSHGetHostsResponse, error) {
+// SSHGetHosts performs the GET /ssh/get-hosts request to the CA.
+func (c *Client) SSHGetHosts() (*api.SSHGetHostsResponse, error) {
 	u := c.endpoint.ResolveReference(&url.URL{Path: "/ssh/get-hosts"})
 	resp, err := c.client.Get(u.String())
 	if err != nil {
diff --git a/db/db.go b/db/db.go
index 2aa093b4..5195e1e3 100644
--- a/db/db.go
+++ b/db/db.go
@@ -67,7 +67,7 @@ func New(c *Config) (AuthDB, error) {
 
 	tables := [][]byte{
 		revokedCertsTable, certsTable, usedOTTTable,
-		sshCertsTable, sshHostsTable, sshUsersTable,
+		sshCertsTable, sshHostsTable, sshHostPrincipalsTable, sshUsersTable,
 	}
 	for _, b := range tables {
 		if err := db.CreateTable(b); err != nil {