copied from http://www.lorier.net/docs/ssh-ca - all credit there.
Using a CA with ssh means you can sign a key for a user, and everywhere that the user trusts the CA you can login, without having to copy your SSH key everywhere again. This allows for things like fast rollover of keys (eg: daily), or trusting the fingerprint of a machine that you're logging into, which can be very useful when you're managing large numbers of machines, or machines that get new host keys (eg by reinstalling) regularly.
You'll probably want at least openssh 5.6, although some of the functionality is available in 5.3. Creating the CA key
ssh-keygen -f /etc/ssh/ca