Tips:
1.) server configuration
1.1.) .../sshd_config
CACertificateFile /etc/ssh/ca/ca-bundle.crt

CACertificateFile is plain text with CA certificates. You can get a copy from openssl, apache, KDE, mutt, etc. packages.
Original file is exported from Netscape certificate db and one download URL is http://www.modssl.org/contrib/ca-bundle.crt.tar.gz


1.2.) append in $HOME/.ssh/authorized_keys a record with following format:
<KEY_TYPE><SPACE><WORDDN><SPACE><Distinguished_Name>
where:
KEY_TYPE:=x509v3-sign-rsa|x509v3-sign-dss (case sensitive !)
WORDDN:=Distinguished Name|Distinguished_Name|DN|Subject<WORDDNSUFF> (case insensitive !)
WORDDNSUFF:='='|':'|''
<Distinguished Name> is equal to output from command "openssl x509 -noout -subject -in MY_CERTIFICATE_FILE".

Shell sample:
echo -n "x509v3-sign-rsa "; openssl x509 -noout -subject -in MY_CERTIFICATE_FILE >> PATH_TO_USER_HOME/.ssh/authorized_keys


2.) client config:
Depends from client. "OpenSSH id-file" must contain both sections - private key and certificate:
-----BEGIN RSA PRIVATE KEY-----
.....
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
.....
-----END CERTIFICATE-----



P.S.: When we use own CA we must import CA certificate[s] to "CACertificateFile". More info on http://satva.skalasoft.com/~rumen/domino_CA/#dca2kde