Hmm, what I've always wondered: why can't I have the SSH public key of the server signed/certified the same way as a SSL public key?
That could e.g. allow me to specify "mark all SSH keys certified by company-internal CA as trusted" or putting the expected certificate into DNS...
This exists - http://man7.org/linux/man-pages/man1/ssh-keygen.1.html#CERTI... - though the tooling is a bit bare-bones. There are some tools written to use certificates though, such as Netflix's BLESS (https://github.com/Netflix/bless), Gravitational Teleport (https://github.com/gravitational/teleport) and my own (https://github.com/nsheridan/cashier)