diff --git a/lib/auth/auth.go b/lib/auth/auth.go
index 97b0853311b89..b4ad29af44835 100644
--- a/lib/auth/auth.go
+++ b/lib/auth/auth.go
@@ -606,6 +606,15 @@ var (
 		[]string{teleport.TagRoles, teleport.TagResources},
 	)
 
+	userCertificatesGeneratedMetric = prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Namespace: teleport.MetricNamespace,
+			Name:      teleport.MetricUserCertificatesGenerated,
+			Help:      "Tracks the number of user certificates generated",
+		},
+		[]string{teleport.TagPrivateKeyPolicy},
+	)
+
 	prometheusCollectors = []prometheus.Collector{
 		generateRequestsCount, generateThrottledRequestsCount,
 		generateRequestsCurrent, generateRequestsLatencies, UserLoginCount, heartbeatsMissedByAuth,
@@ -613,6 +622,7 @@ var (
 		totalInstancesMetric, enrolledInUpgradesMetric, upgraderCountsMetric,
 		accessRequestsCreatedMetric,
 		registeredAgentsInstallMethod,
+		userCertificatesGeneratedMetric,
 	}
 )
 
@@ -2620,6 +2630,8 @@ func generateCert(a *Server, req certRequest, caType types.CertAuthType) (*proto
 
 	a.submitCertificateIssuedEvent(&req)
 
+	userCertificatesGeneratedMetric.WithLabelValues(string(attestedKeyPolicy)).Inc()
+
 	return certs, nil
 }
 
diff --git a/metrics.go b/metrics.go
index 775ee0a2d147a..24adb2572cb73 100644
--- a/metrics.go
+++ b/metrics.go
@@ -112,6 +112,11 @@ const (
 	TagRoles = "roles"
 	// TagResources is a number of resources requested as a part of access request.
 	TagResources = "resources"
+
+	// UserCertificatesCreated provides total number of user certificates generated.
+	MetricUserCertificatesGenerated = "user_certificates_generated"
+	// TagPrivateKeyPolicy is a private key policy associated with a user's certificates.
+	TagPrivateKeyPolicy = "private_key_policy"
 )
 
 const (