I looked at vault, but I opted for a simpler, less flexible solution: rrsync (restricted rsync) to a tree available only to an account with its .ssh/authorized_keys populated with the host public keys with forced rrsync commands restricted to that host's secrets. Root is the only account that can read a host's corresponding private key, so that means an attacker must crack root to get this extra access - but why bother when the secret (e.g. private certificate) is already on the host for root to read? Code to translate the known_hosts into the .ssh/authorized_keys file is a dozen lines more than a perl one-liner only because of triple checking to prevent damage to the result, e.g., in file system full circumstances. Chicken/egg: other means must manage host private keys and ssh_known_hosts. But you had to do that anyways.
