SSH certificates are great in theory, but the whole certificate management, ad-hoc issuance, and revocation require boatloads of infrastructure.
If you do it right, certificates will be signed as needed and have a short validity period, say half an hour or something. That means you need an automated signing application, or a very cheap full-time certificate manager.
I’ve actually started working on such an app recently, including a web portal, CA rotation, automated configuration distribution, etc. Still far from usable, but if you’re interested in contributing: https://github.com/Radiergummi/fides
I’ve actually started working on such an app recently, including a web portal, CA rotation, automated configuration distribution, etc. Still far from usable, but if you’re interested in contributing: https://github.com/Radiergummi/fides