Deploying/Enabling SSH during device turn up is an interactive process at the moment.
- key generation and key length selection
- confirming the key selection
Can APIC-EM REST API configure SSH via the API. This same use case can be applied to any configuration that is interactive in nature...the IOS asks you questions or to confirm a change/selected.
Currently APIC-EM does not provide for arbitrary CLI automation. That's where something like Prime Infrastructure fits today. PI will allow you to create a template to perform all kinds of CLI changes (including interactive commands). PI also offers a northbound REST API so that you can upload templates and trigger them to run.
That said, the PnP process can bootstrap a device with SSHv2, including keys so that the device goes from zero (i.e., out of the box) to fully manageable by APIC-EM and Prime Infra. This is referring to a private key in order to enable SSH. That said, PnP deals with the config of the device, so if you're talking about users' SSH public keys, then, yes. You can have a config template that has the fingerprints of public keys. Have successfully generated those in a config template that have pushed to APIC-EM in order to PnP-provision a device.