Comment by miki123211
5 months ago
There is an easier way, it's called TLS certificates, it's just that SSH decided not to use it for some reason.
Other systems of this nature have figured out long ago that you should be able to have one personal certificate (stored securely in an airgapped environment), from which you'd generate leaf certificates for your devices every year.
SSH CA is what you’re looking for. It’s a thing apparently (but I haven’t tried it yet).
ssh has supported signed certs for literal years
or FreeIPA?