I’m having an n:m relationship between desktop machines and servers, which made managing public keys on the server an nightmare. With SSH certificates, i register the CA once at server installation. Clients keep an certificate that authorizes their keypair for my user accounts on the server, from where i su to root. Certificate revocation and expiry allow for graceful key rotations. The CA key may be kept on isolated machines.
I’m a satisfied user for over a year now, using certificates almost exclusively.
See also: ssh-keygen(1).