I plan to put an SSH server on micro-controller devices. There shall be many devices distributed in a wide range.
The identity of the server is checked with the server key. The server needs to store the private key to allow the authentication. When I copy the private key to all micro-controllers I have to generate the private key elsewhere (e.g. at my PC). This copy of the private key can be thieved.
It would be more secure when the server generates a key pair and the private key will never be copied from the micro-controller.
The server should work standalone without a hierarchical trust infrastructure.
Edit: The microcontroller has a one-time programmable storage for one public key and built-in routines to verify a signature. There could be added a trusted platform module for private keys. But if the devices share a common private key it would be necessary to replace the key pair in all devices when the private key gets compromized. Since there is no obviously visible way to update the private key using a connection "secured" with a compromized private key it should be avoided to share the private key.