@jpmens I've read the man pages and write-ups like these before. Users (and many sysadmins) can just barely handle SSH keys as is.

I am having a hard time imagining a robust process around granting users access to remote systems and network devices with this.

Generating a user's private key on their behalf would be a huge legal liability under legislation like NIS2.

Have you done any successful deployments of CAs?

@holsta the point is the CA doesn’t need (or want) a user’s private key; it gets and signs the public key. I certainly hope that is clear from the text …

edit: I see the sentence which wasn’t clear enough, and I’ve now replaced it. Thank you.