It’s not an official solution to this problem, and it would be great if we could have Balena managed SSH CAs, but this forum post I made earlier this year covers how we’ve deployed an SSH CA to Balena devices: Certificate based authentication for SSH