provision the hosts with an SSH CA, use the CA as a trust root in openssh. they are various version out there from the big players.