No, the ssh CA model works like this: servers trust one CA, and the CA signs user keys. No more distributing individual public keys to every machine.

It is the user machine that needs new certificate signed by the CA once the short-lived one expires.

Sounds like a job for dnssec and sshfp records

Ahh, now you have three problems…hrm