Small scale: You generate a keypair and give the public key to whoever is setting up your account on the server.

Large scale: You generate a keypair and give the public key to Vault or whatever, which signs it with the CA that all servers know to trust.