On the routers or switches where you ran “crypto key generate” ( probably to enable ssh), the IOS generated a self-signed certificate. The startup config has a path to the certificate which is being read into the running configuration after the device starts.
I am also interested to see if the certificate can be excluded from config comparison.