[stingraycharles]

How does that work, do you know a good tutorial for this?

[dnet]

I made my own CA for this because nothing else could provide transparency regarding certificate issuance (whether an attacker issued a "spare" backdoor certificate)

- source code: https://github.com/silentsignal/zsca

- my talk about the design and results: https://pretalx.hsbp.org/camppp7e5/talk/D3E9HN/

[enasterosophes]

Look for a tutorial on ssh certificate auth, and use ed25519-sk keys for the CA.