It’s really important to understand why those are different. CAs are organizational and tightly restricted: I don’t use or have access to my CA’s private key but my SSH key is on every client I use. If I leave the company, you have to check every authorized key file on every server to ensure my keys are no longer present. In contrast, the CA doesn’t need to rotate since I never had access to it and since the CA will set an expiration time on each of the keys I do get it’s probably unusable shortly after my departure even if you missed something.