| > Your personal (private) key lives on your workstation, and CA key lives on RPi. Yep. > There are some other machines that you want to SSH into. They trust CA public key. Yep, with TrustedUserCAKeys. > The remote servers trust the certificate issuer, verify that you own the certificate’s private key, and let you in. Yep. Additionally, the servers themselves present CA‐signed certificates alongside their host keys. My GlobalKnownHostsFile contains the CA public key, so when I connect to a host for the first time, there’s no “unknown host” warning and my user’s known_hosts file is not updated. > If so, how do you issue the certificates that live on RPi? The CA has a directory containing the public keys of every user and host that I set up. A cronjob periodically runs ssh-keygen -s against these files, and copies them to htdocs. Each host and user has a cronjob that periodically fetches its certificate and copies it to /etc/ssh or ~/.ssh, respectively. |