What's the process set up OpenSSH to use x509 PKI for authentication?

  A CA ("SSH-CA") is set up

This CA is used to sign user certificates with keyUsage=digitalSignature (and maybe the id-kp-secureShellClient extendedKeyUsage field) This certificate can now be used to log in on a server. The server does not require the public key being present in the authorized_keys. Instead, it is set up to trust the SSH-CA to verify the public key and signature of the certificate (or certificate chain) and the username/UID (probably directly in the subjectAltName field, or maybe using some server-side mapping) before the usual RSA authentication takes place So can we set up OpenSSH for x.509? If yes, how? if it requires a patch how can client-side modifications be kept minimal?

In OpenSSH x.509 certificate based authentication is not usually supported.

The developers have maintained a stance that the complexity of X.509 certificates introduces an unacceptable attack surface for sshd. Instead, they have [recently] implemented an alternative certificate format that is much simpler to parse and thus introduces less risk. OpenSSH just uses the low-level cryptographic algorithms from OpenSSL. However Roumen Petrov publishes OpenSSH builds that do include X.509 support, and you could try with those.  X.509 certificates can [be] used as "user identity" and/or "host key" in SSH "Public Key" and "Host-Based" authentications. Roumen Petrov's builds can be downloaded via this page. Here's a Debian how-to for SSH with authentication key instead of password that might also prove useful in setting up your OpenSSH to accept x509 PKI for user authentication.