We can probably plug into Caddy's PKI app to do this.

Snippet to get started from Caddy's acme_server module:

	// get a reference to the configured CA
	appModule, err := ctx.App("pki")
	if err != nil {
		return err
	}
	pkiApp := appModule.(*caddypki.PKI)
	ca, err := pkiApp.GetCA(ctx, ash.CA)
	if err != nil {
		return err
	}

Then from there we'd need to adjust caddypki.CA.NewAuthority() to support configuring the CA for SSH use, i.e. by adding authority.WithSSH*() options, then we can call authority.SignSSH and spit out the result to whoever needs it. When you need to do auth for a new connection, I think we can call authority.GetSSHRoots() then validate it with x/crypto/ssh as you normally would (not sure how SSH key verification would work, haven't dug into how caddy-ssh does that yet)

I am especially interested in ensuring that revocation works as expected. Of real interest would be seeing if we can boot/force logout any sessions users are logged into already at time of revocation