What's needed:

• add new setting for CA pubkey location
• add a setting for a secondary known hosts file that will be read-only, managed by puppet and will contain the entries necessary to support CA-signed host keys
• add new API endpoint to allow Foreman to retrieve the CA pubkey
• if CA pubkey is configured, validate on startup that the CA pubkey and cert are there
• modify options passed to ssh to conditionally use the cert and the secondary known hosts file