diff --git a/README.md b/README.md
index 51f9009..34300da 100644
--- a/README.md
+++ b/README.md
@@ -367,7 +367,7 @@ Subkeys must be renewed or rotated using the Certify key - see [Updating keys](#
 Set Subkeys to expire on a planned date:
 
 ```console
-export EXPIRATION=2027-05-01
+export EXPIRATION=2027-07-01
 ```
 
 The expiration date may also be relative, for example set to two years from today:
@@ -438,7 +438,7 @@ export KEYID=$(gpg -k --with-colons "$IDENTITY" | \
 export KEYFP=$(gpg -k --with-colons "$IDENTITY" | \
     awk -F: '/^fpr:/ { print $10; exit }')
 
-printf "\nKey ID: %40s\nKey FP: %40s\n\n" "$KEYID" "$KEYFP"
+printf "\nKey ID/Fingerprint: %20s\n%s\n\n" "$KEYID" "$KEYFP"
 ```
 
 <details>
@@ -487,14 +487,27 @@ EOF
 
 # Create Subkeys
 
-Generate Signature, Encryption and Authentication Subkeys using the previously configured key type, passphrase and expiration:
+Generate Signature and Encryption Subkeys using the previously configured key type, passphrase and expiration:
 
 ```console
-for SUBKEY in sign encrypt auth ; do \
-    echo "$CERTIFY_PASS" | \
+echo "$CERTIFY_PASS" | \
     gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \
-        --quick-add-key "$KEYFP" "$KEY_TYPE" "$SUBKEY" "$EXPIRATION"
-done
+        --quick-add-key "$KEYFP" "$KEY_TYPE" sign "$EXPIRATION"
+
+echo "$CERTIFY_PASS" | \
+    gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \
+        --quick-add-key "$KEYFP" "$KEY_TYPE" encrypt "$EXPIRATION"
+```
+
+Followed by the Authentication Subkey:
+
+> [!NOTE]
+> Some systems no longer accept RSA for SSH authentication; to use [Ed25519](https://ed25519.cr.yp.to/), set the `KEY_TYPE` variable to `ed25519` before generating Authentication Subkey.
+
+```
+echo "$CERTIFY_PASS" | \
+    gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \
+        --quick-add-key "$KEYFP" "$KEY_TYPE" auth "$EXPIRATION"
 ```
 
 # Verify keys
@@ -508,12 +521,12 @@ gpg -K
 The output will display **[C]ertify, [S]ignature, [E]ncryption and [A]uthentication** keys:
 
 ```console
-sec   rsa4096/0xF0F2CFEB04341FB5 2025-01-01 [C]
+sec   rsa4096/0xF0F2CFEB04341FB5 2025-07-01 [C]
       Key fingerprint = 4E2C 1FA3 372C BA96 A06A  C34A F0F2 CFEB 0434 1FB5
 uid                   [ultimate] YubiKey User <yubikey@example>
-ssb   rsa4096/0xB3CD10E502E19637 2025-01-01 [S] [expires: 2027-05-01]
-ssb   rsa4096/0x30CBE8C4B085B9F7 2025-01-01 [E] [expires: 2027-05-01]
-ssb   rsa4096/0xAD9E24E1B8CB9600 2025-01-01 [A] [expires: 2027-05-01]
+ssb   rsa4096/0xB3CD10E502E19637 2025-07-01 [S] [expires: 2027-07-01]
+ssb   rsa4096/0x30CBE8C4B085B9F7 2025-07-01 [E] [expires: 2027-07-01]
+ssb   rsa4096/0xAD9E24E1B8CB9600 2025-07-01 [A] [expires: 2027-07-01]
 ```
 
 # Backup keys
@@ -947,12 +960,12 @@ EOF
 Verify Subkeys are on YubiKey with `gpg -K` - indicated by `ssb>`:
 
 ```console
-sec   rsa4096/0xF0F2CFEB04341FB5 2025-01-01 [C]
+sec   rsa4096/0xF0F2CFEB04341FB5 2025-07-01 [C]
       Key fingerprint = 4E2C 1FA3 372C BA96 A06A  C34A F0F2 CFEB 0434 1FB5
 uid                   [ultimate] YubiKey User <yubikey@example>
-ssb>  rsa4096/0xB3CD10E502E19637 2025-01-01 [S] [expires: 2027-05-01]
-ssb>  rsa4096/0x30CBE8C4B085B9F7 2025-01-01 [E] [expires: 2027-05-01]
-ssb>  rsa4096/0xAD9E24E1B8CB9600 2025-01-01 [A] [expires: 2027-05-01]
+ssb>  rsa4096/0xB3CD10E502E19637 2025-07-01 [S] [expires: 2027-07-01]
+ssb>  rsa4096/0x30CBE8C4B085B9F7 2025-07-01 [E] [expires: 2027-07-01]
+ssb>  rsa4096/0xAD9E24E1B8CB9600 2025-07-01 [A] [expires: 2027-07-01]
 ```
 
 The `>` after a tag indicates the key is stored on a smart card.
@@ -1116,18 +1129,18 @@ PIN retry counter : 3 3 3
 Signature counter : 0
 KDF setting ......: on
 Signature key ....: CF5A 305B 808B 7A0F 230D  A064 B3CD 10E5 02E1 9637
-      created ....: 2025-01-01 12:00:00
+      created ....: 2025-07-01 12:00:00
 Encryption key....: A5FA A005 5BED 4DC9 889D  38BC 30CB E8C4 B085 B9F7
-      created ....: 2025-01-01 12:00:00
+      created ....: 2025-07-01 12:00:00
 Authentication key: 570E 1355 6D01 4C04 8B6D  E2A3 AD9E 24E1 B8CB 9600
-      created ....: 2025-01-01 12:00:00
-General key info..: sub  rsa4096/0xB3CD10E502E19637 2025-01-01 YubiKey User <yubikey@example>
-sec#  rsa4096/0xF0F2CFEB04341FB5  created: 2025-01-01  expires: never
-ssb>  rsa4096/0xB3CD10E502E19637  created: 2025-01-01  expires: 2027-05-01
+      created ....: 2025-07-01 12:00:00
+General key info..: sub  rsa4096/0xB3CD10E502E19637 2025-07-01 YubiKey User <yubikey@example>
+sec#  rsa4096/0xF0F2CFEB04341FB5  created: 2025-07-01  expires: never
+ssb>  rsa4096/0xB3CD10E502E19637  created: 2025-07-01  expires: 2027-07-01
                                   card-no: 0006 05553211
-ssb>  rsa4096/0x30CBE8C4B085B9F7  created: 2025-01-01  expires: 2027-05-01
+ssb>  rsa4096/0x30CBE8C4B085B9F7  created: 2025-07-01  expires: 2027-07-01
                                   card-no: 0006 05553211
-ssb>  rsa4096/0xAD9E24E1B8CB9600  created: 2025-01-01  expires: 2027-05-01
+ssb>  rsa4096/0xAD9E24E1B8CB9600  created: 2025-07-01  expires: 2027-07-01
                                   card-no: 0006 05553211
 ```
 
@@ -1793,7 +1806,7 @@ gpg-connect-agent "scd serialno" "learn --force" /bye
 Alternatively, use a script to delete the GnuPG shadowed key, where the serial number is stored (see [GnuPG #T2291](https://dev.gnupg.org/T2291)):
 
 ```console
-cat >> ~/scripts/remove-keygrips.sh <<EOF
+mkdir -p ~/scripts && cat >> ~/scripts/remove-keygrips.sh <<EOF
 #!/usr/bin/env bash
 (( $# )) || { echo "Specify a key." >&2; exit 1; }
 KEYGRIPS=$(gpg --with-keygrip --list-secret-keys "$@" | awk '/Keygrip/ { print $3 }')
diff --git a/scripts/generate.sh b/scripts/generate.sh
index faf857f..a054585 100755
--- a/scripts/generate.sh
+++ b/scripts/generate.sh
@@ -11,14 +11,20 @@ umask 077
 
 export LC_ALL="C"
 
+fail() {
+    # Print an error string in red and exit.
+    tput setaf 1 ; printf "%s\n" "${1}" ; tput sgr0
+    exit 1
+}
+
 print_cred () {
-  # Print a credential string in red.
-  tput setaf 1 ; printf "%s\n" "${1}" ; tput sgr0
+    # Print a credential string in red.
+    tput setaf 1 ; printf "%s\n" "${1}" ; tput sgr0
 }
 
 print_id () {
-  # Print an identity string in yellow.
-  tput setaf 3 ; printf "%s\n" "${1}" ; tput sgr0
+    # Print an identity string in yellow.
+    tput setaf 3 ; printf "%s\n" "${1}" ; tput sgr0
 }
 
 get_id_label () {
@@ -26,14 +32,28 @@ get_id_label () {
     printf "YubiKey User <yubikey@example.domain>"
 }
 
-get_key_type () {
-    # Returns key type and size.
+get_key_type_sign () {
+    # Returns key type for signature subkey.
+    #printf "default"
     printf "rsa4096"
 }
 
+get_key_type_enc () {
+    # Returns key type for encryption subkey.
+    #printf "default"
+    printf "rsa4096"
+}
+
+get_key_type_auth () {
+    # Returns key type for authentication subkey.
+    #printf "default"
+    #printf "rsa4096"
+    printf "ed25519"
+}
+
 get_key_expiration () {
     # Returns key expiration date.
-    printf "2027-05-01"
+    printf "2027-07-01"
 }
 
 get_temp_dir () {
@@ -51,10 +71,12 @@ set_temp_dir () {
 set_attrs () {
     # Sets identity and key attributes.
     export IDENTITY="$(get_id_label)"
-    export KEY_TYPE="$(get_key_type)"
+    export KEY_TYPE_SIGN="$(get_key_type_sign)"
+    export KEY_TYPE_ENC="$(get_key_type_enc)"
+    export KEY_TYPE_AUTH="$(get_key_type_auth)"
     export KEY_EXPIRATION="$(get_key_expiration)"
-    printf "set attributes (label='%s', type='%s', expire='%s')\n" \
-        "$IDENTITY" "$KEY_TYPE" "$KEY_EXPIRATION"
+    printf "set attributes (label='%s', sign='%s', enc='%s', auth='%s', expire='%s')\n" \
+        "$IDENTITY" "$KEY_TYPE_SIGN" "$KEY_TYPE_ENC" "$KEY_TYPE_AUTH" "$KEY_EXPIRATION"
 }
 
 get_pass () {
@@ -78,8 +100,7 @@ gen_key_certify () {
     # Generates Certify key with no expiration.
     echo "$CERTIFY_PASS" | \
         gpg --batch --passphrase-fd 0 \
-            --quick-generate-key "$IDENTITY" \
-            "$KEY_TYPE" "cert" "never"
+            --quick-generate-key "$IDENTITY" "$KEY_TYPE_SIGN" "cert" "never"
 }
 
 set_fingerprint () {
@@ -87,18 +108,23 @@ set_fingerprint () {
     key_list=$(gpg --list-secret-keys --with-colons)
     export KEY_ID=$(printf "$key_list" | awk -F: '/^sec/ { print  $5; exit }')
     export KEY_FP=$(printf "$key_list" | awk -F: '/^fpr/ { print $10; exit }')
+    if [[ -z "$KEY_FP" || -z "$KEY_ID" ]]; then
+        fail "could not set key fingerprint"
+    fi
     printf "got identity (fp='%s', id='%s')\n" "$KEY_FP" "$KEY_ID"
 }
 
 gen_key_subs () {
     # Generates Subkeys with specified expiration.
-    for SUBKEY in sign encrypt auth ; do \
-        echo "$CERTIFY_PASS" | \
-            gpg --batch --passphrase-fd 0 \
-                --pinentry-mode=loopback \
-                --quick-add-key "$KEY_FP" \
-                "$KEY_TYPE" "$SUBKEY" "$KEY_EXPIRATION"
-    done
+    echo "$CERTIFY_PASS" | \
+        gpg --batch --passphrase-fd 0 --pinentry-mode=loopback \
+            --quick-add-key "$KEY_FP" "$KEY_TYPE_SIGN" sign "$KEY_EXPIRATION"
+    echo "$CERTIFY_PASS" | \
+        gpg --batch --passphrase-fd 0 --pinentry-mode=loopback \
+            --quick-add-key "$KEY_FP" "$KEY_TYPE_ENC" encrypt "$KEY_EXPIRATION"
+    echo "$CERTIFY_PASS" | \
+        gpg --batch --passphrase-fd 0  --pinentry-mode=loopback \
+            --quick-add-key "$KEY_FP" "$KEY_TYPE_AUTH" auth "$KEY_EXPIRATION"
 }
 
 save_secrets () {