diff --git a/gcp/modules/sigstore/sigstore.tf b/gcp/modules/sigstore/sigstore.tf
index 28a5856..b808afb 100644
--- a/gcp/modules/sigstore/sigstore.tf
+++ b/gcp/modules/sigstore/sigstore.tf
@@ -291,6 +291,7 @@ module "fulcio" {
   // Certificate authority
   ca_pool_name = var.ca_pool_name
   ca_name      = var.ca_name
+  ca_type      = var.ca_type
 
   // KMS
   fulcio_keyring_name = var.fulcio_keyring_name
diff --git a/gcp/modules/sigstore/variables.tf b/gcp/modules/sigstore/variables.tf
index 7065428..693f541 100644
--- a/gcp/modules/sigstore/variables.tf
+++ b/gcp/modules/sigstore/variables.tf
@@ -469,6 +469,12 @@ variable "ca_name" {
   default     = "sigstore-authority"
 }
 
+variable "ca_type" {
+  description = "What kind of CA Fulcio is running and therefore what kind of key to create. Possible values are 'kmsca' or 'tinkca'. Defaults to 'kmsca' which creates an asymmetric signing key. Use 'tinkca' to create a symmetric encryption/decryption key."
+  type        = string
+  default     = "kmsca"
+}
+
 variable "fulcio_keyring_name" {
   type        = string
   description = "Name of Fulcio keyring."