diff --git a/backend/src/ee/services/pam-account/pam-account-service.ts b/backend/src/ee/services/pam-account/pam-account-service.ts
index babfef7980..b03a7081e7 100644
--- a/backend/src/ee/services/pam-account/pam-account-service.ts
+++ b/backend/src/ee/services/pam-account/pam-account-service.ts
@@ -164,12 +164,22 @@ export const pamAccountServiceFactory = ({
       kmsService
     });
 
+    // Decrypt resource metadata if available
+    const resourceMetadata = resource.encryptedResourceMetadata
+      ? await decryptResourceMetadata({
+          encryptedMetadata: resource.encryptedResourceMetadata,
+          projectId: resource.projectId,
+          kmsService
+        })
+      : undefined;
+
     const factory = PAM_RESOURCE_FACTORY_MAP[resource.resourceType as PamResource](
       resource.resourceType as PamResource,
       connectionDetails,
       resource.gatewayId,
       gatewayV2Service,
-      resource.projectId
+      resource.projectId,
+      resourceMetadata
     );
     const validatedCredentials = await factory.validateAccountCredentials(credentials);
 
@@ -280,12 +290,22 @@ export const pamAccountServiceFactory = ({
         kmsService
       });
 
+      // Decrypt resource metadata if available
+      const resourceMetadata = resource.encryptedResourceMetadata
+        ? await decryptResourceMetadata({
+            encryptedMetadata: resource.encryptedResourceMetadata,
+            projectId: account.projectId,
+            kmsService
+          })
+        : undefined;
+
       const factory = PAM_RESOURCE_FACTORY_MAP[resource.resourceType as PamResource](
         resource.resourceType as PamResource,
         connectionDetails,
         resource.gatewayId,
         gatewayV2Service,
-        account.projectId
+        account.projectId,
+        resourceMetadata
       );
 
       const decryptedCredentials = await decryptAccountCredentials({
diff --git a/backend/src/ee/services/pam-resource/pam-resource-types.ts b/backend/src/ee/services/pam-resource/pam-resource-types.ts
index 01788e5542..0f8cd1bb0a 100644
--- a/backend/src/ee/services/pam-resource/pam-resource-types.ts
+++ b/backend/src/ee/services/pam-resource/pam-resource-types.ts
@@ -89,7 +89,8 @@ export type TPamResourceFactory<T extends TPamResourceConnectionDetails, C exten
   connectionDetails: T,
   gatewayId: string | null | undefined,
   gatewayV2Service: Pick<TGatewayV2ServiceFactory, "getPlatformConnectionDetailsByGatewayId">,
-  projectId: string | null | undefined
+  projectId: string | null | undefined,
+  resourceMetadata?: TPamResourceMetadata
 ) => {
   validateConnection: TPamResourceFactoryValidateConnection<T>;
   validateAccountCredentials: TPamResourceFactoryValidateAccountCredentials<C>;
diff --git a/backend/src/ee/services/pam-resource/ssh/ssh-resource-factory.ts b/backend/src/ee/services/pam-resource/ssh/ssh-resource-factory.ts
index e871553630..59e8dbc827 100644
--- a/backend/src/ee/services/pam-resource/ssh/ssh-resource-factory.ts
+++ b/backend/src/ee/services/pam-resource/ssh/ssh-resource-factory.ts
@@ -14,7 +14,7 @@ import {
   TPamResourceFactoryValidateAccountCredentials
 } from "../pam-resource-types";
 import { SSHAuthMethod } from "./ssh-resource-enums";
-import { TSSHAccountCredentials, TSSHResourceConnectionDetails } from "./ssh-resource-types";
+import { TSSHAccountCredentials, TSSHResourceConnectionDetails, TSSHResourceMetadata } from "./ssh-resource-types";
 
 const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000;
 
@@ -56,7 +56,9 @@ export const sshResourceFactory: TPamResourceFactory<TSSHResourceConnectionDetai
   resourceType,
   connectionDetails,
   gatewayId,
-  gatewayV2Service
+  gatewayV2Service,
+  _projectId,
+  resourceMetadata?: TSSHResourceMetadata
 ) => {
   const validateConnection = async () => {
     try {
@@ -192,11 +194,20 @@ export const sshResourceFactory: TPamResourceFactory<TSSHResourceConnectionDetai
               });
               break;
             case SSHAuthMethod.Certificate:
-              // For certificate auth, we don't validate by connecting to the SSH server
-              // The certificate will be issued on-demand when the session is accessed
+              // We cant fully validate the connection since ssh2 doesn't support cert auth
+              if (!resourceMetadata) {
+                reject(
+                  new BadRequestError({
+                    message:
+                      "SSH CA is not configured for this resource. Please set up the CA first using the SSH CA setup script."
+                  })
+                );
+                return;
+              }
+
               logger.info(
                 { username: credentials.username },
-                "[SSH Resource Factory] Certificate auth method selected - skipping SSH connection validation"
+                "[SSH Resource Factory] Certificate auth - CA is configured, skipping connection validation"
               );
               resolve();
               break;