I really like the certificates for SSH idea... I've never thought about this and have always used vanilla keys.
Does anyone have experience using this? Besides giving auditing information, does this have any other benefits?
Author here. I mentioned a couple of other benefits in the post, namely TTL (time to live) and the ability to have fine-grained role-based access control. Your servers should use certificate-based auth too, to join a production environment. Then you won't have the trust-on-first-use issue, because server authentication simply compares the CA of a client & server and you don't have the dreadful "are you sure [y/N]" question when connecting to a box for the first time.
Basically, certificates rule the world everywhere, but due to rough UX, they haven't seen broad adoption for SSH. That's until now, hopefully :)
Thanks for the follow-up! I've always thought the TOFU thing was a huge issue: it's hard to verify the first time and rotating server certs is a nightmare.
Are there any products/tools that make this easier? I've noticed that this isn't common even within companies with robust security infrastructure.
Another one to look at is https://github.com/Netflix/bless
Also, if you want to stick with what you have (most likely OpenSSH), we wrote an OpenSSH guide: https://gravitational.com/blog/how-to-ssh-properly/