I stand corrected. Thanks for pointing out the difference, I was using the terms "CA" and "certificate" interchangeably because in X.509 world CAs also have certificates of their own but it seems that OpenSSH only deals with CA keys, that is, certificates are always leaf certificates, and CAs consist of their keys only.
> "Chained" certificates, where the signature key type is a certificate type itself are NOT supported.
> "Chained" certificates, where the signature key type is a certificate type itself are NOT supported.
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys...