We want to move to using ssh certificates on our servers and remove all passwords.
That's what we do.
Since when? What do you use to manage and generate certificates?
Generate with ssh-keygen. Manage with a wiki. We are only so big, so it works fine.
That is not certificates. That is keys. Completely different.
I don't know what @scottalanmiller uses but ssh-keygen is used to generate ssh certificates as well.
From the man page:
ssh-keygen supports signing of keys to produce certificates that may be used for user or host authentication. Certificates consist of a public key, some identity information, zero or more principal (user or host) names and a set of options that are signed by a Certification Authority (CA) key. Clients or servers may then trust only the CA key and verify its signature on a certificate rather than trusting many user/host keys. Note that OpenSSH certificates are a different, and much simpler, format to the X.509 certificates used in ssl(8).
But if you are automating certificate generation, you need to wrap this in something.
No, ssh-keygen does not do this (ssh certificate generation).
As you highlight, it can be used as part of the certificate process. But it cannot, and never will, be the certificate authority. Thus it is not the tool for this this.
You're actually mistaken because I've done it many times now. A Certification Authority, when it comes to openssh certificates, is really just a key pair that you carefully guard.
You create certificates by using the CA keys to sign other public keys from users and hosts. The result is a certificate named *-cert.pub
And you do all of this with the ssh-keygen utility.
Similar to how you can create CA and everything else for the more complex x509 certificates with just openssl.