diff --git a/cassh.1 b/cassh.1
index 4582abc..d6220ab 100644
--- a/cassh.1
+++ b/cassh.1
@@ -30,13 +30,13 @@
 .Bk -words
 .Cm mkfile
 .Ic authorized_keys
-.Op options
+.Op options ...
 .Ek
 .Nm
 .Bk -words
 .Cm mkfile
 .Ic known_hosts
-.Op hostnames
+.Op hostnames ...
 .Ek
 .Sh DESCRIPTION
 .Nm
@@ -104,25 +104,25 @@ accepts the tokens %% and %f.
 After token expansion, all recognized options are passed down to
 .Xr ssh-keygen 1
 process.
-.It Cm mkfile Ic authorized_keys Op Ar options
+.It Cm mkfile Ic authorized_keys Op Ar options ...
 Write an
 .Ic authorized_keys
 file on standard output corresponding to the current Certification
 Authority.
 .Ar options
-is copied verbatim to the output, and
+are concatenated with commas and copied verbatim to the output.
 .Cm cert-authority
-is always added.
+is always added to the options list.
 See
 .Xr sshd 8 AUTHORIZED_KEYS FILE FORMAT
 for details.
-.It Cm mkfile Ic known_hosts Op Ar hostnames
+.It Cm mkfile Ic known_hosts Op Ar hostnames ...
 Write a
 .Ic known_hosts
 file on standard output corresponding to the current Certification
 Authority.
 .Ar hostnames
-is copied verbatim to the output.
+are concatenated with commans and copied verbatim to the output.
 See
 .Xr sshd 8 SSH_KNOWN_HOSTS FILE FORMAT
 for details.
diff --git a/cassh.sh b/cassh.sh
index 52d79ce..7a2be9e 100644
--- a/cassh.sh
+++ b/cassh.sh
@@ -17,8 +17,8 @@ usage()
 Usage:
 	${0##*/} issue [-hqv] [-I key_id] [-n principals]
 	    [-V validity_interval]
-	${0##*/} mkfile authorized_keys [options]
-	${0##*/} mkfile known_hosts [hostnames]
+	${0##*/} mkfile authorized_keys [options ...]
+	${0##*/} mkfile known_hosts [hostnames ...]
 EOF
 	exit 1
 }
@@ -181,17 +181,11 @@ main_mkfile()
 
 	case $file in
 	authorized_keys)
-		if [ $# -gt 1 ]; then
-			usage
-		fi
-		options=cert-authority${1:+,$1}
+		options=$(printf "%s\n" cert-authority "$@" | paste -sd , -)
 		printf "%s " "$options"
 		;;
 	known_hosts)
-		if [ $# -gt 1 ]; then
-			usage
-		fi
-		hostnames=${1:-}
+		hostnames=$(printf "%s\n" "$@" | paste -sd , -)
 		if [ -n "$hostnames" ]; then
 			printf "@cert-authority %s " "$hostnames"
 		else