I tried Paramiko firstly. But it turns out it’s much easier with asyncssh. Then I tried to implement with scp because it’s user friendly, just “scp ca-server:ops.pub ~/.ssh/id_ed25519-cert.pub”. I want to hook the “scp” request and generate the cert file dynamically. But there are some bugs now so I switch to ssh.

No. I haven’t see that thread before. I have thought the problem for a long time and just got the idea(use ssh to sign keys automatically) three days ago.