This post is a personal request from a colleague who wanted to know the bare minimum needed to work with my ssh-ca script. Once you have the script (self-contained, no need for my entire bashfiles):

ssh-ca setup
ssh-ca sign ~/.ssh/id_rsa
ssh-ca install [email protected]

Repeat the sign step for all the keys you want to sign, and the install step for all the servers you want to trust the CA.

But I want to sign server keys!

ssh-ca setup
for key in /etc/ssh/ssh_host_*_key.pub; do ssh-ca signhost "$key"; done
ssh-ca trustconfig # copy the second line and add it to the known_hosts file of any client you want to trust the server keys

Admittedly, this is not as magical as the client key flow, but it’s the best I’ve got.