diff --git a/api/client/proto/joinservice.pb.go b/api/client/proto/joinservice.pb.go
index a819e18f0c46..78690405a47e 100644
--- a/api/client/proto/joinservice.pb.go
+++ b/api/client/proto/joinservice.pb.go
@@ -27,7 +27,8 @@ var _ = math.Inf
 // proto package needs to be updated.
 const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
 
-// TODO(nklaassen): Document me.
+// RegisterUsingIAMMethodRequest is a request for registration via the IAM join
+// method.
 type RegisterUsingIAMMethodRequest struct {
 	// RegisterUsingTokenRequest holds registration parameters common to all
 	// join methods.
diff --git a/api/proto/teleport/legacy/client/proto/joinservice.proto b/api/proto/teleport/legacy/client/proto/joinservice.proto
index 68b35f06df33..2f173401fdd2 100644
--- a/api/proto/teleport/legacy/client/proto/joinservice.proto
+++ b/api/proto/teleport/legacy/client/proto/joinservice.proto
@@ -21,7 +21,8 @@ import "teleport/legacy/types/types.proto";
 
 option go_package = "github.com/gravitational/teleport/api/client/proto";
 
-// TODO(nklaassen): Document me.
+// RegisterUsingIAMMethodRequest is a request for registration via the IAM join
+// method.
 message RegisterUsingIAMMethodRequest {
   // RegisterUsingTokenRequest holds registration parameters common to all
   // join methods.
diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
index 3014206024d3..6054a51ee6b3 100644
--- a/api/proto/teleport/legacy/types/types.proto
+++ b/api/proto/teleport/legacy/types/types.proto
@@ -2095,7 +2095,7 @@ message AuthPreferenceSpecV2 {
   HardwareKey HardwareKey = 19 [(gogoproto.jsontag) = "hardware_key,omitempty"];
 
   // SignatureAlgorithmSuite is the configured signature algorithm suite for the cluster.
-  // The current default value is "legacy". This field is not yet fully supported.
+  // If unspecified, the current default value is "legacy".
   SignatureAlgorithmSuite signature_algorithm_suite = 20;
 
   // SecondFactors is a list of supported second factor types.
diff --git a/api/types/types.pb.go b/api/types/types.pb.go
index 773dfea65c92..6da1dc669374 100644
--- a/api/types/types.pb.go
+++ b/api/types/types.pb.go
@@ -6175,7 +6175,7 @@ type AuthPreferenceSpecV2 struct {
 	// HardwareKey are the settings for hardware key support.
 	HardwareKey *HardwareKey `protobuf:"bytes,19,opt,name=HardwareKey,proto3" json:"hardware_key,omitempty"`
 	// SignatureAlgorithmSuite is the configured signature algorithm suite for the cluster.
-	// The current default value is "legacy". This field is not yet fully supported.
+	// If unspecified, the current default value is "legacy".
 	SignatureAlgorithmSuite SignatureAlgorithmSuite `protobuf:"varint,20,opt,name=signature_algorithm_suite,json=signatureAlgorithmSuite,proto3,enum=types.SignatureAlgorithmSuite" json:"signature_algorithm_suite,omitempty"`
 	// SecondFactors is a list of supported second factor types.
 	SecondFactors        []SecondFactorType `protobuf:"varint,21,rep,packed,name=SecondFactors,proto3,enum=types.SecondFactorType" json:"second_factors,omitempty"`
diff --git a/lib/auth/bot.go b/lib/auth/bot.go
index 4b6300564278..d2ce2518abb5 100644
--- a/lib/auth/bot.go
+++ b/lib/auth/bot.go
@@ -288,8 +288,6 @@ func (a *Server) updateBotInstance(
 		}
 	}
 
-	// TODO(nklaassen): consider recording both public keys once they are
-	// actually separated.
 	var publicKeyPEM []byte
 	if req.tlsPublicKey != nil {
 		publicKeyPEM = req.tlsPublicKey
diff --git a/lib/auth/init.go b/lib/auth/init.go
index 9ac7abc541db..48709458cf96 100644
--- a/lib/auth/init.go
+++ b/lib/auth/init.go
@@ -1240,7 +1240,6 @@ func checkResourceConsistency(ctx context.Context, keyStore *keystore.Manager, c
 
 // GenerateIdentity generates identity for the auth server
 func GenerateIdentity(a *Server, id state.IdentityID, additionalPrincipals, dnsNames []string) (*state.Identity, error) {
-	// TODO(nklaassen): split SSH and TLS keys for host identities.
 	key, err := cryptosuites.GenerateKey(context.Background(), cryptosuites.GetCurrentSuiteFromAuthPreference(a), cryptosuites.HostIdentity)
 	if err != nil {
 		return nil, trace.Wrap(err)
diff --git a/lib/cryptosuites/suites.go b/lib/cryptosuites/suites.go
index 641c53ce1c8a..d9f1ec8bf7d7 100644
--- a/lib/cryptosuites/suites.go
+++ b/lib/cryptosuites/suites.go
@@ -100,7 +100,6 @@ const (
 	// HostSSH represents a host SSH key.
 	HostSSH
 	// HostIdentity represents a key used for a Teleport host identity.
-	// TODO(nklaassen): split SSH and TLS keys used for host identities.
 	HostIdentity
 
 	// BotImpersonatedIdentity represents a key used for a general impersonated
diff --git a/lib/reversetunnel/cache.go b/lib/reversetunnel/cache.go
index afcbd9355153..3b2e0ab41c55 100644
--- a/lib/reversetunnel/cache.go
+++ b/lib/reversetunnel/cache.go
@@ -113,8 +113,6 @@ func (c *certificateCache) generateHostCert(ctx context.Context, principals []st
 		return nil, trace.Wrap(err)
 	}
 
-	// TODO(nklaassen): request only an SSH cert, we don't need TLS here.
-	// GenerateHostCert needs support for this.
 	res, err := c.authClient.TrustClient().GenerateHostCert(ctx, &trustpb.GenerateHostCertRequest{
 		Key:         pubBytes,
 		HostId:      principals[0],