SSH Certs are not related to x509 PKI certs. SSH certs are created with ssh-keygen and is the result of one key signing another. The public portion of the signing key (ie. the “cert”) needs to be distributed separately.

Did you follow the link? The point was exactly setting up X.509 PKI for SSH authentication. Yes, it can be used with SSH, that was the GP's point.

The link talks about setting up a ssh ca, not x509?

> For our part, the most recent release of step & step-ca (v0.12.0) adds basic SSH certificate support. In other words:

> step-ca is now an SSH CA (in addition to being an X.509 CA)

> step makes it easy for users and hosts to get certificates from step-ca

It's a tool that do x509 ca for x509 things and ssh ca for ssh.

you can disable X.509 for SSH