There is only one public key that installed on the servers. That key is the same everywhere. You have a self-serve system that generates short-lived certs to users.
What public key is installed where on the servers? What self-serve system where generating certs how and in what form do users get them and what do they do with them?
And how is the user authenticating to the self-serve system - username/password? And why can't they just do that to the SSH server?
The company certificate is put on the server. Manually, the sysadmin generates the user key signed by certificate and sends it to them. Or the self-serve system generates it and they download it.
The user uses the SSH key as normal. The server checks that if key is signed.
The self-serve system uses the single-sign-on system for the company. The SSH server can't do SSO, maybe can do LDAP, but it is giant annoyance to set it up. A lot SSH use assumes that using key and doesn't support username/password.
