Description
We don't currently have any way to create a host / user root certificate for SSH. You'd need this to rotate your root certificate, or if you run step ca init without --ssh and want to enable SSH later. Or if you want to use step to generate SSH CA artifacts, but not use step-ca.
Before any engineering work is done we need to figure out where to fit this into the CLI. We do this for X.509 via step certificate create with the --profile flag. For SSH, the step ssh certificate subcommand feels like the right place for this. But it's already a pretty complicated subcommand, and this would add a lot more complexity. Maybe we need a different subcommand.
Relatedly, we may want a more streamlined subcommand to enable SSH for an existing step-ca installation that generates both root certs (host & client) and makes the appropriate CA config changes for you (like step ca provisioner add).