By default, SSH uses RSA or DSA keys for both host and user authentication. That results in a plethora of trusted keys in users' known_hosts and authorized_keys files. known_hosts, in particular, is ripe for re-editing whenever your favourite hosting service changes the IP address associated with your computing instance changes when you restart it.

In newer releases of OpenSSH we can replace swathes of instance-specific keys with CA-signed trusted keys.

When you ssh to another host, say from userA on hostA to userB on hostB two sets of keys are exchanged:

1. a host key is supplied by hostB to userA and is either:

1. authenticated against an existing known host in userA's known_hosts file
2. is flagged as being a possible Man In The Middle attack if it conflicted in #1.
3. is prompted to be added to userA's known_hosts file for future reference

2. a user key is supplied by userA to hostB and is authenticated against the set of trusted keys in userB's authorized_keys file

With two sets of keys being exchanged, serving two similar but different purposes, it makes sense for us to use two different CAs for key signing.

I first read about SSH PKI certificates in this post by Blargh and then when chasing up which release of OpenSSH certificates were introduced I found another primer here.