If you have stumbled on SSH certificates you may have had a question popping in your mind, “Why the hell no-one is talking about them?”.

The real answer is that they are a pain to use. Not because certificates are too difficult to create (that’s easy), or to revoke, but because the tooling is somehow absent.

So I made a thing and now I can check if a certificate is valid using a command called ssh-keycheck.

ssh-keycheck ~/.ca/your_ca_key.pub ~/.ssh/your_signed_key-cert.pub

The validity check is done by comparing the fingerprint of the given ca public key with the fingerprint of the signin ca public key. This approach is still vulnerable to hash collission but is good enough for my mantainance work.

The problem I set to solve was to know if I have the right host certificate and if it’s valid right now. The very same result could be accomplished by parsing the output of the commands ssh-keygen -L -f /path/to/certificate-cert.pub and ssh-keygen -l -f /path/to/ca.pub in a script as the following one does.

[[ $(ssh-keygen -f /path/to/certificate-cert.pub -L |grep "$(ssh-keygen -f /path/to/ca.pub -l|cut -d " " -f 2)" -A 3 |grep Valid |cut -d " " -f 13) > $(date +%Y-%m-%dT%H:%M:%S --date "+1 month") ]]

This is a one-liner that check it the signin ca is the provided and compare the expire date with the next month. It took a long time experimenting and is used by our ansible playbook to decide if it’s time to request another host certificate.

Obviously it could be much better, some line break, real variables etc but it would be a pain to operate as ansible provides the inputs from the playbook in JSON and we would have to query and return json from bash.


When checking the certificate the possible outcomes are.

  1. Not signed by the provided ca
  2. Start Date is still in the future (not valid)
  3. End Date is in the past (expired)
  4. Certificate file is not a certificate (public keys and certificates share the .pub extension)

So every one of them gets its personal return code that I can query from tools like bash, python, ansible and the likes.

Moreover because in ssh-keygen we are missing the obvious messages I’ve added some, both for stdout and stderr. This is very handy because you can record the output and show it somewhere else.

Get this marvel of code

You can find this useful tool in the ssh-keycheck branch for my fork of openssh-portable. The instructions to compile openssh-portable are hosted here and the openssh-portable team hosts a page where you can find more information.

The build process should be very simple as it is only 3 commands but you may have problems with the version of openssl.


I would like to improve some things in the future but this is enough for now. Let’s see if it’s good for you too.