SSH certificates vs SSH keys — the mental model shift

The core difference between SSH keys and SSH certificates isn’t technical — it’s organizational.

With keys, trust is distributed: every host maintains its own authorized_keys. Adding or removing access means touching every machine.

With certificates, trust is centralized at issuance time but enforced locally. A host trusts a CA. The CA decides who gets a certificate. The host validates offline.

The shift: you stop managing keys and start managing policy.