Comment 4 for bug 1790963

Hi all,

This only affect RSA certificates, not ECDSA or ED25519 certs
Even if your CA is an RSA key, you can sign ECDSA or ED25519 public keys so you get ECDSA/ED25519 certificates which allow you to work around the issue without changing anything server-side
(and without deploying a new CA)

Exemple of working cert (7.8 client, <7.8 server):
$ ssh-keygen -Lf ~/.ssh/id_ed25519-cert.pub
~/.ssh/id_ed25519-cert.pub:
        Type: <email address hidden> user certificate
        Public key: ED25519-CERT SHA256:<...>
        Signing CA: RSA SHA256:<...>
        Key ID: "..."