Finally! Got through stage 2 of server configurations. All secure links are done and mounting as appropriate. NGINX is fully SSH enabled using automated off-system certificate generation. Both Casper and Melchior have been blocked off from direct access from the outside as far as admin access goes. This will be fun.
I didn't test rebooting the servers but I have no reason to believe that it won't work as expected. I guess I'll know when the day comes.
One door I had to get through that I didn't account for. During key generation I could get the new keys setup but I had no direct way to reload NGINX remotely. Here is what I ended up doing.
Add service reload command to sudoers file requiring no password for elevation. This is safe since you can't edit the files themselves without root and the whole explicit command with parameters was supplied as the new definition.
Add new public key to authorized_keys with a forced command...
command="sudo /usr/sbin/service nginx force-reload",no-port-forwarding,no-X11-forwarding,from=[snip]
Generate new passwordless key for this task
Setup to finish with command
ssh -i (file) (user)@casper
So on Balthasar when the key generation is complete it connects to ssh using the passwordless key and when it authenticates the authorized_keys forced command kicks in and runs the elevated command. When done the connection is automatically terminated and things move on.