A certificate authority is a third party trusted by hosts and users to sign each other public certificates. So user would need it's pub key signed by the CA in order to access host. And host would need it's pub certificate signed by the CA for users to trust that it's the host they intend to connect.
Generate a host certificate authority
ssh-keygen -t rsa -b 4096 -f host_ca -C host_ca
Generate a user certificate authority (CA)
ssh-keygen -t rsa -b 4096 -f user_ca -C user_ca
We could use a single CA, however having one for users and one for hosts allows to have different teams managing users and hosts.
Once we have our CA keys, we need to store them in a safe place. And distribute the CA.pub files so hosts and users can validate each other.
Sign host pub key. You would need to bring a host pub key from the host you want to sign.
ssh-keygen -s host_ca -I test -h -n test.com,test.local,test -V +52w ssh_host_rsa_key.pub
user pub key
ssh-keygen -s user_ca -I user_name -n user_name -V +52w id_ed25519.pub