I have something like this in ~/.ssh/known_hosts on my Linux machine:
@cert-authority * ssh-rsa pubkeypubkeypubkey
And any server with a signed host key is automatically trusted by the OpenSSH client.
I regularly use PuTTY on my Windows PC. How do I achieve something similar?
PuTY added support for CA certificate authentication in version 0.78 released on 2022-10-29
PuTTY 0.78, released today, is a feature release. Its major new feature is support for OpenSSH's certificate system. PuTTY can now present certified user keys to an SSH server, and you can configure one or more trusted CAs so that it will automatically accept host keys signed by them.
...
And as commented: see https://www.chiark.greenend.org.uk/~sgtatham/quasiblog/putty-certificates/ for more implementation background details.
Configuration is described in the manual
4.19.4 Configuring PuTTY to accept host certificates
In some environments, the SSH host keys for a lot of servers will all be signed in turn by a central ‘certification authority’ (‘CA’ for short). This simplifies host key configuration for users, because if they configure their SSH client to accept host keys certified by that CA, then they don't need to individually confirm each host key the first time they connect to that server.
In order to do this, press the ‘Configure host CAs’ button in the ‘Host keys’ configuration panel. This will launch a secondary configuration dialog box where you can configure what CAs PuTTY will accept signatures from.
...
CA certificate authentication as implemented by OpenSSH is not supported by PuTTY (yet).
No evidence of such a feature is found in the current ChangeLog and as a feature request it is also still listed as open on the PuTTY WishList
Putty now implemented the ca feature in the current snapshots and should be in the stable version soon.
