Where I work we have these smart cards (CACs) with x509 certs, protected by a PIN. There was some directive years ago to use these certs to login to all systems, but also the OpenSSH people said they would never support x509 for security reasons (x509 being too complex to be secure).
The result of all of this crap is that people in the Navy just pretend like having the keys from the x509 is good enough, and the people higher up are too dumb to tell the difference between an x509 and just the keys. So regular workers like me get out the keys and convert them to the OpenSSH format and use that and everything is fine.
We use a fork of PuTTY called PuTTY-CAC to read these CACs and get the private side. The public side we convert and place out on the server (or the IDM system).
Here are the commands to get the key from the x509 cert.
First get the key.
openssl x509 -in harris.cer -inform der -pubkey -noout > harris.tmp
Now put it in the OpenSSH format.
ssh-keygen -f harris.tmp -i -m PKCS8 > harris.pub