Modern versions of OpenSSH has gotten support for using certificates in places where keys can be used, i.e. host keys and authentication keys. These are not X.509 certificates though, but something specific to OpenSSH. They work in a similar manner though with a certificate authority signing certificates and other parties trusting those certificates since they can verify the signature. ThinLinc has no explicit support for these certificates, treating them like any other key type. This mostly works, except for the ability to trust host keys based on the signature and avoid having to explicitly check each host key. To fix this we would need to add support for configuring the certificate authority keys and checking signatures instead of the entire host key.
If I'm reading OpenSSH's code correctly, our current behaviour is also incorrect. A certificate should not be individually stored. If there is no CA for the certificate, then the key should be converted to a non-certificate equivalent and that should be used instead.
Moving the immediate problem to bug 7643. This bug is about doing things properly.
Worth noting that there's multiple certificate related errors that can be raised by OpenSSH, we should handle these whenever we implement support for certificates. Otherwice the user will only get generic "You are not authorized to connect to this server" messages in those cases, which isn't that helpful.
https://community.thinlinc.com/t/tl-server-agent-sshkeys-signed-by-ca/1125
