SSH certificates: the better SSH experience (jpmens.net)

The article walks through how SSH client trust currently relies on TOFU and static keys (including what happens when host keys change), then argues for using SSH certificate authorities to eliminate per-host key deployment and noisy verification steps. It explains practical benefits like automatic host-key rotation without warnings, centralized trust via ssh_known_hosts, and policy controls such as allowed users, source IP restrictions, and time-limited access. The post then begins outlining how to set up an SSH CA and issue user/host certificates using ssh-keygen.