I am trying to harden my ssh setup using this material. It works fine, but I've got a question which I'm struggling to find the answer to.
Does anyone know if there is a way to check the ssh host/user certificate signature against the SSH CA? I know that I can just try to ssh into host, that hold that host certificate, and if it connects than the signature is obviously ok...
But I am writing an automation task and I need a programmatic way to make sure that the certificate file is signed by CA. Say some ssh-keygen
command or anything else.
UPDATE:
As @PKapp proposed:
I could compare two outputs: the Fingerprint of Signing CA from Server side certificate and the Fingerprint of the CA itself
sudo ssh-keygen -L -f /etc/ssh/ssh_host_ed25519_key-cert.pub | fgrep "Signing CA" | sed 's/^[ \t]*//' | cut -d ' ' -f 4
SHA256:LkdPQLdx4tuZp7pG0g6nAJqilFd6ZzjGdgVEV9elrdA
sudo ssh-keygen -l -f /etc/ssh/id_ed25519-HostCA.pub | cut -d ' ' -f 2
SHA256:LkdPQLdx4tuZp7pG0g6nAJqilFd6ZzjGdgVEV9elrdA
If the filtered outputs are identical, then the certificates match...