Index: openssh-9.9p1/auth2-pubkey.c
===================================================================
--- openssh-9.9p1.orig/auth2-pubkey.c
+++ openssh-9.9p1/auth2-pubkey.c
@@ -524,11 +524,16 @@ user_cert_trusted_ca(struct passwd *pw,
 	    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
 		return 0;
 
+	
+
 	if ((r = sshkey_in_file(key->cert->signature_key,
 	    options.trusted_user_ca_keys, 1, 0)) != 0) {
 		debug2_fr(r, "CA %s %s is not listed in %s",
 		    sshkey_type(key->cert->signature_key), ca_fp,
 		    options.trusted_user_ca_keys);
+		verbose("CA %s %s is not listed in %s",
+		    sshkey_type(key->cert->signature_key), ca_fp,
+		    options.trusted_user_ca_keys);
 		goto out;
 	}
 	/*
@@ -540,6 +545,9 @@ user_cert_trusted_ca(struct passwd *pw,
 		if (match_principals_file(pw, principals_file,
 		    key->cert, &principals_opts))
 			found_principal = 1;
+		else {
+			verbose("Did not match any principals from auth_principals_* files");
+		}
 	}
 	/* Try querying command if specified */
 	if (!found_principal && match_principals_command(pw, key,
@@ -580,6 +588,11 @@ user_cert_trusted_ca(struct passwd *pw,
 		if ((final_opts = sshauthopt_merge(principals_opts,
 		    cert_opts, &reason)) == NULL) {
  fail_reason:
+			verbose("Rejected cert ID \"%s\" with signature "
+			    "%s signed by %s CA %s via %s",
+			    key->cert->key_id, ca_fp,
+			    sshkey_type(key->cert->signature_key), ca_fp,
+			    options.trusted_user_ca_keys);
 			error("%s", reason);
 			auth_debug_add("%s", reason);
 			goto out;
@@ -587,7 +600,7 @@ user_cert_trusted_ca(struct passwd *pw,
 	}
 	slog_set_cert_serial((unsigned long long)key->cert->serial);
 	/* Success */
-	verbose("Accepted certificate ID \"%s\" (serial %llu) signed by "
+	verbose("Accepted cert ID \"%s\" (serial %llu) signed by "
 	    "%s CA %s via %s", key->cert->key_id,
 	    (unsigned long long)key->cert->serial,
 	    sshkey_type(key->cert->signature_key), ca_fp,
@@ -604,6 +617,7 @@ user_cert_trusted_ca(struct passwd *pw,
 	sshauthopt_free(final_opts);
 	free(principals_file);
 	free(ca_fp);
+
 	return ret;
 }
 
Index: openssh-9.9p1/regress/cert-logging.sh
===================================================================
--- /dev/null
+++ openssh-9.9p1/regress/cert-logging.sh
@@ -0,0 +1,84 @@
+tid="cert logging"
+
+CERT_ID="cert_id"
+PRINCIPAL=$USER
+SERIAL=0
+
+log_grep() {
+    if [ "$(grep -c -G "$1" "$TEST_SSHD_LOGFILE")" == "0" ]; then
+        return 1;
+    else
+        return 0;
+    fi
+}
+
+cat << EOF >> $OBJ/sshd_config
+TrustedUserCAKeys $OBJ/ssh-rsa.pub
+Protocol 2
+PubkeyAuthentication yes
+AuthenticationMethods publickey
+AuthorizedPrincipalsFile $OBJ/auth_principals
+EOF
+
+if [ ! -f $OBJ/trusted_rsa ]; then
+    ${SSHKEYGEN} -q -t rsa -C '' -N '' -f $OBJ/trusted_rsa
+fi
+if [ ! -f $OBJ/untrusted_rsa ]; then
+    ${SSHKEYGEN} -q -t rsa -C '' -N '' -f $OBJ/untrusted_rsa
+fi
+
+${SSHKEYGEN} -q -s $OBJ/ssh-rsa -I $CERT_ID -n $PRINCIPAL -z $SERIAL $OBJ/trusted_rsa.pub ||
+    fatal "Could not create trusted SSH cert"
+
+${SSHKEYGEN} -q -s $OBJ/untrusted_rsa -I $CERT_ID -n $PRINCIPAL -z $SERIAL $OBJ/untrusted_rsa.pub ||
+    fatal "Could not create untrusted SSH cert"
+
+CA_FP="$(${SSHKEYGEN} -l -E sha256 -f ssh-rsa | cut -d' ' -f2)"
+KEY_FP="$(${SSHKEYGEN} -l -E sha256 -f trusted_rsa | cut -d' ' -f2)"
+UNTRUSTED_CA_FP="$(${SSHKEYGEN} -l -E sha256 -f untrusted_rsa | cut -d' ' -f2)"
+
+start_sshd
+
+
+test_no_principals() {
+    echo > $OBJ/auth_principals
+    ${SSH} -F $OBJ/ssh_config -i $OBJ/trusted_rsa-cert.pub somehost true ||
+        fatal "SSH failed"
+
+    if ! log_grep 'Did not match any principals from auth_principals_\* files'; then
+        fail "No 'Did not match any principals' message"
+    fi
+
+    if ! log_grep "Rejected cert ID \"$CERT_ID\" with signature $KEY_FP signed by RSA CA $CA_FP via $OBJ/ssh-rsa.pub"; then
+        fail "No 'Rejected cert ID' message"
+    fi
+}
+
+
+test_with_principals() {
+    echo $USER > $OBJ/auth_principals
+    ${SSH} -F $OBJ/ssh_config -i $OBJ/trusted_rsa-cert.pub somehost true ||
+        fatal "SSH failed"
+
+    if ! log_grep "Matched principal \"$PRINCIPAL\" from $OBJ/auth_principals:1 against \"$PRINCIPAL\" from cert"; then
+        fail "No 'Matched principal' message"
+    fi
+    if ! log_grep "Accepted cert ID \"$CERT_ID\" (serial $SERIAL) with signature $KEY_FP signed by RSA CA $CA_FP via $OBJ/ssh-rsa.pub"; then
+        fail "No 'Accepted cert ID' message"
+    fi
+}
+
+
+test_untrusted_cert() {
+    ${SSH} -F $OBJ/ssh_config -i $OBJ/untrusted_rsa-cert.pub somehost true ||
+        fatal "SSH failed"
+
+    if ! log_grep "CA RSA $UNTRUSTED_CA_FP is not listed in $OBJ/ssh-rsa.pub"; then
+        fail "No 'CA is not listed' message"
+    fi
+}
+
+
+test_no_principals
+test_with_principals
+test_untrusted_cert