You're asking for something that is supported in X.509 but OpenSSH wrote their own certificate exchange standard that does not have support for those features.
HTTPS uses X.509. OpenSSH has no interest in supporting X.509 or, AFAIK, for changing their version to support anything but "self-signed" keys.
> You're asking for something that is supported in X.509
There's more than 1 way to skin this cat, and no, I'm not asking for the a specific solution you suggested.
SpaceX can implement any internal auth-scheme they choose to connect to a handful (not 41) of SSH intermediate instances, which then connect to the terminals
HTTPS uses X.509. OpenSSH has no interest in supporting X.509 or, AFAIK, for changing their version to support anything but "self-signed" keys.