Comment by arianvanp

Yep that's what I do! I have two ssh-ca's stored on two Yubikeys. And both are trusted by my servers.

If I lose one I can still sign new certs with the other.

https://github.com/arianvp/nixos-stuff/blob/master/modules/s...