Establishing trust without a single point of failure is a common 'challenge' in decentralized systems, but what you could instead do is use Trust On First Use with Public Key Pinning.
- Instead of distributing a root CA, each instance generates its own self-signed certificate.
- When a user first connects to another instance, they manually verify the fingerprint (e.g., display it via QR code, voice call, or some other 'out-of-band' method). Keep in mind that if this fingerprint is distributed insecurely, it defeats the whole purpose. This is also the main usability downside; depending on the application, manually verifying any fingerprint can be a hassle.
- Once accepted, the public key is "pinned" for future connections.
- If the key changes, the user is alerted to prevent a MiTM attack.