A certificate authority is a third party trusted by hosts and users to sign each other public certificates. So user would need it's pub key signed by the CA in order to access host. And host would need it's pub certificate signed by the CA for users to trust that it's the host they intend to connect.
Generate a host certificate authority
ssh-keygen -t rsa -b 4096 -f host_ca -C host_caGenerate a user certificate authority (CA)
ssh-keygen -t rsa -b 4096 -f user_ca -C user_caWe could use a single CA, however having one for users and one for hosts allows to have different teams managing users and hosts.
Once we have our CA keys, we need to store them in a safe place. And distribute the CA.pub files so hosts and users can validate each other.
Sign host pub key. You would need to bring a host pub key from the host you want to sign.
ssh-keygen -s host_ca -I test -h -n test.com,test.local,test -V +52w ssh_host_rsa_key.pubuser pub key
ssh-keygen -s user_ca -I user_name -n user_name -V +52w id_ed25519.pub