As far as I know you can CA sign host keys the same way you can sign users' public keys.

As always, the main issue is that certificate chaining is not possible in SSH PK"I", so you need to have absolute trust in the machine that does the signing.