Comment on Why isn't using a key file the most common way to log into self-hosted servers?
UnpledgedCatnapTipper@piefed.blahaj.zone 3 days agoIf you do have automation, that’s another thing you have to set up and manage.
Hosting a CA is a whole additional service to set up, as is enabling trust for said CA on every server you’re running.
kumi@feddit.online 3 days ago
A CA can be an encrypted volume ona live USB stick. It’s mostly for the CRLs you might want something online.
Unless you do TOFU (which some do and btw how often do you actually verify the github.com ssh fingerprint when connecting from a new host?), you need to add the trust root in some way, just as with any other method discussed. But that’s no more work than doing the same with individual host keys.