You can trust a CA easily enough. So do you just glob some shell scripts around ssh-keygen?

Short-lived is one solution to limiting their lifetime: the other is to use a CRL format.

Either way, you need software to manage the issuance and later revocation.

I suppose you could build this into your host imaging profile, or use config management software. I'm just interested in what people do.