Ideally each key will be generated on the device and be unexportable. That's a major part of the value of a Yubikey/smartcard/HSM, because it provides Non-Repudiation, and it enables you to be reasonably certain that it is impossible for the key to exist outside of the physical device.
You can use multiple devices to generate multiple keys to give you persistent access in case a device fails or is lost. Software generally accommodates multiple (public) keys per client for this reason.
With an SSH CA, the server ultimately trusts the CA key, and client keys are used for authentication via the client certificates. I think you can use Yubikeys and relatively inexpensive HSMs (eg. Nitrokeys) for this.
You can use multiple devices to generate multiple keys to give you persistent access in case a device fails or is lost. Software generally accommodates multiple (public) keys per client for this reason.
With an SSH CA, the server ultimately trusts the CA key, and client keys are used for authentication via the client certificates. I think you can use Yubikeys and relatively inexpensive HSMs (eg. Nitrokeys) for this.
https://framkant.org/2016/10/use-a-smart-card-or-hsm-to-secu...