Wouldn’t automation based on your approach be really easy? Like correct me if I’m wrong, but I assume you just need a chron job executing ssh-keygen on your localhost, adding the new pub to ansible, rolling out and removing the old, right?

Sooo, CA unreachable means connection dead, which is a manageable risk. But giving a third party the authority over my SSH access sounds like a great way to make it convenient for state actors to invade my privacy.