diff --git a/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/ssh/SSHSigner.java b/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/ssh/SSHSigner.java
index 23aa1bbf84e..473da78e219 100644
--- a/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/ssh/SSHSigner.java
+++ b/libs/java/server_common/src/main/java/com/yahoo/athenz/common/server/ssh/SSHSigner.java
@@ -28,7 +28,8 @@ public interface SSHSigner {
      * @param principal Principal requesting the ssh certificates
      * @param certRequest SSH Certificate Request
      * @param instanceId Instance ID of the origin host
-     * @return SSH Certificates
+     * @return SSH Certificates. Any error conditions are handled
+     * by throwing com.yahoo.athenz.common.rest.ResourceExceptions
      */
     default SSHCertificates generateCertificate(Principal principal, SSHCertRequest certRequest,
             final String instanceId) {
@@ -38,7 +39,8 @@ default SSHCertificates generateCertificate(Principal principal, SSHCertRequest
     /**
      * Retrieve the SSH Signer certificate for the given type
      * @param type signer type: user or host
-     * @return SSH Signer Certificate
+     * @return SSH Signer Certificate. Any error conditions are handled
+     * by throwing com.yahoo.athenz.common.rest.ResourceExceptions
      */
     default String getSignerCertificate(String type) {
         return null;
diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java
index a8dbc990169..8d71cd40b42 100644
--- a/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java
+++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java
@@ -2563,20 +2563,30 @@ public SSHCertificates postSSHCertRequest(ResourceContext ctx, SSHCertRequest ce
         AthenzObject.SSH_CERT_REQUEST.convertToLowerCase(certRequest);
         logPrincipal(ctx);
 
-        Object timerMetric = metric.startTiming(callerTiming, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
-        metric.increment(HTTP_REQUEST);
-        metric.increment(caller, ZTSConsts.ZTS_UNKNOWN_DOMAIN);
-
-        // generate our ssh certificate
+        // get our principal and domain values
 
         final Principal principal = ((RsrcCtxWrapper) ctx).principal();
+        final String domainName = principal.getDomain();
+
+        Object timerMetric = metric.startTiming(callerTiming, domainName);
+        metric.increment(HTTP_REQUEST);
+        metric.increment(caller, domainName);
 
         // if we have a certificate then we'll try to extract
         // the instance id for our request
 
         final String instanceId = X509CertUtils.extractRequestInstanceId(principal.getX509Certificate());
-        SSHCertificates certs = instanceCertManager.getSSHCertificates(principal,
-                certRequest, instanceId);
+
+        // generate our certificate. the ssh signer interface throws
+        // rest ResourceExceptions so we'll catch and log those
+
+        SSHCertificates certs = null;
+        try {
+            certs = instanceCertManager.getSSHCertificates(principal,
+                    certRequest, instanceId);
+        } catch (com.yahoo.athenz.common.server.rest.ResourceException ex) {
+            throw error(ex.getCode(), ex.getMessage(), caller, domainName);
+        }
 
         metric.stopTiming(timerMetric);
         return certs;