diff --git a/step-cli/reference/README.mdx b/step-cli/reference/README.mdx
index 7003b0f3..7dd018df 100644
--- a/step-cli/reference/README.mdx
+++ b/step-cli/reference/README.mdx
@@ -65,7 +65,7 @@ print the version
 
 ## Version
 
-Smallstep CLI/0.27.5 (linux/amd64)
+Smallstep CLI/0.28.0 (linux/amd64)
 
 ## Copyright
 
diff --git a/step-cli/reference/ca/certificate/README.mdx b/step-cli/reference/ca/certificate/README.mdx
index a50cd226..61b7e212 100644
--- a/step-cli/reference/ca/certificate/README.mdx
+++ b/step-cli/reference/ca/certificate/README.mdx
@@ -18,7 +18,7 @@ step ca certificate <subject> <crt-file> <key-file>
 [--not-before=<time|duration>] [--not-after=<time|duration>]
 [--san=<SAN>] [--set=<key=value>] [--set-file=<file>]
 [--acme=<file>] [--standalone] [--webroot=<file>]
-[--contact=<email>] [--http-listen=<address>] [--bundle]
+[--contact=<email>] [--http-listen=<address>]
 [--kty=<type>] [--curve=<curve>] [--size=<size>] [--console]
 [--x5c-cert=<file>] [--x5c-key=<file>] [--k8ssa-token-path=<file>]
 [--offline] [--password-file] [--ca-url=<uri>] [--root=<file>]
diff --git a/step-cli/reference/ca/provisioner/add/README.mdx b/step-cli/reference/ca/provisioner/add/README.mdx
index d401a12c..ef3c3e5c 100644
--- a/step-cli/reference/ca/provisioner/add/README.mdx
+++ b/step-cli/reference/ca/provisioner/add/README.mdx
@@ -82,6 +82,7 @@ step ca provisioner add <name> --type=[AWS|Azure|GCP]
 [--azure-audience=<name>] [--azure-subscription-id=<id>]
 [--azure-object-id=<id>] [--instance-age=<duration>] [--iid-roots=<file>]
 [--disable-custom-sans] [--disable-trust-on-first-use]
+[--disable-ssh-ca-user] [--disable-ssh-ca-host]
 [--admin-cert=<file>] [--admin-key=<file>]
 [--admin-subject=<subject>] [--admin-provisioner=<name>] [--admin-password-file=<file>]
 [--ca-url=<uri>] [--root=<file>] [--context=<name>] [--ca-config=<file>]
@@ -339,6 +340,12 @@ On cloud provisioners, if enabled multiple sign request for this provisioner
 with the same instance will be accepted. By default only the first request
 will be accepted.
 
+**--disable-ssh-ca-user**
+Disable ability to sign SSH user certificates
+
+**--disable-ssh-ca-host**
+Disable ability to sign SSH host certificates
+
 **--x509-template**=`file`
 The x509 certificate template `file`, a JSON representation of the certificate to create.
 
diff --git a/step-cli/reference/ca/provisioner/update/README.mdx b/step-cli/reference/ca/provisioner/update/README.mdx
index 0f371d9c..06c51ad5 100644
--- a/step-cli/reference/ca/provisioner/update/README.mdx
+++ b/step-cli/reference/ca/provisioner/update/README.mdx
@@ -74,6 +74,7 @@ step ca provisioner update <name>
 [--azure-audience=<name>] [--azure-subscription-id=<id>]
 [--azure-object-id=<id>] [--instance-age=<duration>]
 [--disable-custom-sans] [--disable-trust-on-first-use]
+[--disable-ssh-ca-user] [--disable-ssh-ca-host]
 [--admin-cert=<file>] [--admin-key=<file>]
 [--admin-subject=<subject>] [--admin-provisioner=<name>] [--admin-password-file=<file>]
 [--ca-url=<uri>] [--root=<file>] [--context=<name>] [--ca-config=<file>]
@@ -348,6 +349,12 @@ On cloud provisioners, if enabled multiple sign request for this provisioner
 with the same instance will be accepted. By default only the first request
 will be accepted.
 
+**--disable-ssh-ca-user**
+Disable ability to sign SSH user certificates
+
+**--disable-ssh-ca-host**
+Disable ability to sign SSH host certificates
+
 **--x509-template**=`file`
 The x509 certificate template `file`, a JSON representation of the certificate to create.