Ditch `authorized_keys` Sprawl: SSH User Certificates with OpenSSH CA (Practical Linux Guide)

If you manage more than a handful of Linux servers, authorized_keys eventually becomes a mess: keys copied everywhere stale access that never gets cleaned up painful offboarding no easy way to force short-lived access OpenSSH has a built-in answer: user certificates signed by your own SSH Certificate Authority (CA) . Instead of distributing every user key to every server, you: trust one CA public key on servers, issue short-lived user certificates, control access with principals, revoke when needed. This guide is hands-on and keeps the moving parts minimal. Why SSH certificates are cleaner than authorized_keys With classic public-key auth, each server must store each user key (or fetch it dynamically). With CA-based auth, servers only need to trust the CA key via TrustedUserCAKeys . From there, login is allowed when: the cert is valid ( -V window), cert principal matches what server accepts, cert is signed by trusted CA. That gives you clean central issuance and short-lived access with