The capacity to grant access as a specific remote user is present without certs as well right? The typical authorized_keys file lives under a user directory and grants access only to that user.

▲

blueflow 3 hours ago | parent [-]

The main advantage of certificates is that you are able to do that from the CA without touching the target machine.

	▲	lokar 32 minutes ago \| parent [-]
		Exactly. This is really useful in larger organizations where you may want more complex rules on access. For example, you can easily build "break glass" or 2nd party approved access on demand. You can put whatever logic you need in a CA front-end. You can also make all the certs short-lived (and only store them in ram).