diff --git a/bootstrapper/internal/joinclient/joinclient_test.go b/bootstrapper/internal/joinclient/joinclient_test.go
index 40ad86551..714a0635e 100644
--- a/bootstrapper/internal/joinclient/joinclient_test.go
+++ b/bootstrapper/internal/joinclient/joinclient_test.go
@@ -51,9 +51,6 @@ func TestClient(t *testing.T) {
 		{Role: role.ControlPlane, Name: "node-5", VPCIP: "192.0.2.3"},
 	}
 	caDerivationKey := make([]byte, 256)
-	for i := range caDerivationKey {
-		caDerivationKey[i] = 0x0
-	}
 	respCaKey := &joinproto.IssueJoinTicketResponse{EmergencyCaKey: caDerivationKey}
 
 	testCases := map[string]struct {
diff --git a/cli/internal/cmd/BUILD.bazel b/cli/internal/cmd/BUILD.bazel
index cf22bc7b6..bc6a71a50 100644
--- a/cli/internal/cmd/BUILD.bazel
+++ b/cli/internal/cmd/BUILD.bazel
@@ -205,6 +205,7 @@ go_test(
         "@org_golang_google_grpc//:grpc",
         "@org_golang_google_grpc//codes",
         "@org_golang_google_grpc//status",
+        "@org_golang_x_crypto//ssh",
         "@org_golang_x_mod//semver",
         "@org_uber_go_goleak//:goleak",
     ],
diff --git a/cli/internal/cmd/ssh_test.go b/cli/internal/cmd/ssh_test.go
index cbfc7e628..ba2afb0c5 100644
--- a/cli/internal/cmd/ssh_test.go
+++ b/cli/internal/cmd/ssh_test.go
@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"context"
+	"fmt"
 	"testing"
 
 	"github.com/edgelesssys/constellation/v2/internal/constants"
@@ -10,6 +11,7 @@ import (
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/crypto/ssh"
 )
 
 func TestSSH(t *testing.T) {
@@ -54,13 +56,13 @@ func TestSSH(t *testing.T) {
 			pubKey:  someSSHPubKey,
 			wantErr: true,
 		},
-		"malformatted public key": {
+		"malformed public key": {
 			fh:           newFsWithDirectory(),
 			pubKey:       "asdf",
 			masterSecret: someMasterSecret,
 			wantErr:      true,
 		},
-		"malformatted master secret": {
+		"malformed master secret": {
 			fh:           newFsWithDirectory(),
 			masterSecret: "asdf",
 			pubKey:       someSSHPubKey,
@@ -91,6 +93,10 @@ func TestSSH(t *testing.T) {
 				assert.Error(err)
 			} else {
 				assert.NoError(err)
+				cert, err := tc.fh.Read(fmt.Sprintf("%s/ca_cert.pub", constants.TerraformWorkingDir))
+				require.NoError(err)
+				_, _, _, _, err = ssh.ParseAuthorizedKey(cert)
+				require.NoError(err)
 			}
 		})
 	}
diff --git a/e2e/miniconstellation/.terraform.lock.hcl b/e2e/miniconstellation/.terraform.lock.hcl
index d98936cba..79b0743ad 100644
--- a/e2e/miniconstellation/.terraform.lock.hcl
+++ b/e2e/miniconstellation/.terraform.lock.hcl
@@ -61,6 +61,25 @@ provider "registry.terraform.io/hashicorp/cloudinit" {
   ]
 }
 
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.6.3"
+  hashes = [
+    "h1:Fnaec9vA8sZ8BXVlN3Xn9Jz3zghSETIKg7ch8oXhxno=",
+    "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451",
+    "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8",
+    "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe",
+    "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1",
+    "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36",
+    "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30",
+    "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615",
+    "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad",
+    "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556",
+    "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0",
+  ]
+}
+
 provider "registry.terraform.io/hashicorp/tls" {
   version     = "4.0.6"
   constraints = "4.0.6"
diff --git a/internal/crypto/crypto_test.go b/internal/crypto/crypto_test.go
index 0c6ccad1a..db29a7ed9 100644
--- a/internal/crypto/crypto_test.go
+++ b/internal/crypto/crypto_test.go
@@ -124,21 +124,29 @@ func TestGenerateRandomBytes(t *testing.T) {
 
 func TestGenerateEmergencySSHCAKey(t *testing.T) {
 	nullKey := make([]byte, ed25519.SeedSize)
-	for i := range nullKey {
-		nullKey[i] = 0x0
-	}
 
 	testCases := map[string]struct {
 		key     []byte
 		wantErr bool
 	}{
-		"invalid key": {
+		"key length = 0": {
 			key:     make([]byte, 0),
 			wantErr: true,
 		},
 		"valid key": {
 			key: nullKey,
 		},
+		"nil input": {
+			key:     nil,
+			wantErr: true,
+		},
+		"long key": {
+			key: make([]byte, 256),
+		},
+		"key too short": {
+			key:     make([]byte, ed25519.SeedSize-1),
+			wantErr: true,
+		},
 	}
 
 	for name, tc := range testCases {