So i know the best way of doing this is using a PKI so all you need to do is trust the CA on each server and then you can give keys/certs out as needed to auth against the servers.
Anyone have a good way of doing this? 
I would expect being able to revoke certs/keys would be needed?
A few options (none of which I’ve personally deployed, mind)
Netflix came up with BLESS as their bastion setup, but it’s tied to AWS. Someone came up with CURSE, which is AWS-free.
The other one I’ve seen is EKCA which has a similar approach.
There’s also smallstep which appears to have the same facility.
Client-side revocation might not be necessary if you e.g. issue certs that are valid for a very small window - e.g. <= 5 minutes at a time. You’ll need to kill any active connections in case of a Rapid Exit™ but you’d need that anyway.
CA revocation might be a bit trickier. The recommendation is to create a bunch of CA keypairs, keep all but the current one offline and have all the public keys trusted by your estate, for ease of rotation.
Once that’s done, then use something like Ansible to orchestrate rotation / removal of CA keys.