Suppose I grant a user access to system X for 2 weeks via a cert. When this user then requires 8 hours of access to system Y, can I just provide an additional cert with this claim and have the users ssh client figure it all out?
Or does this scenario either require the user juggling certs, or me generating certs containing all concurrent claims?
One thing I'm sure would work if the user has generated two separate public-private key pairs and you sign two different certs.
Not so sure about having several certs for the same key.
If I was in that situation, I would probably generate a new cert which contains the concurrent claims and is short-lived, but we also don't have extremely many different roles.
Or does this scenario either require the user juggling certs, or me generating certs containing all concurrent claims?