Currently, any ssh keys being added to the manager have to be raw public keys. If we could add ssh keys with the cert-manager tag at the front, we could use ssh keys signed by a CA. As an example, I currently house a ssh CA on my Yubikey 4, and sign all my desktop ssh keys with it. This allows me to add 1 ssh key to my authorized_keys file and grant access to all my signed machines. This also allow new machines to be added by simply signing their ssh key. I've been able to test this feature using cloud-init, but that requires building or copying a cloud-init.yml file each time.