Step 1: Generate CA Key Pair
ssh-keygen -t ed25519 -f my_ca
Step 2: Configure SSH Daemon to Trust CA
echo "TrustedUserCAKeys /etc/ssh/my_ca.pub" | sudo tee -a /etc/ssh/sshd_config
sudo systemctl restart sshd
Step 3: Sign User Keys
ssh-keygen -s my_ca -I username@domain -n username -V +52w user_key.pub
Step 4: User Uses Signed Key
ssh -i user_key -o CertificateFile=user_key-cert.pub username@server
Step 5: Revoke Certificates
ssh-keygen -k -f revoked -u user_key-cert.pub
echo "RevokedKeys /etc/ssh/revoked" >> /etc/ssh/sshd_config
