I have an environment where I use ssh certificates to authenticate ssh host keys. I'm talking about the kind of certificates created by running ssh-keygen -s /path/to/ca -h .... These certificates are also created with a validity interval, stating when they will expire. These certificates have now been in use now long enough that I need to start monitor them, to get a heads up when they start getting close to expire.
Any way I can do a remote connection, without logging in, and somehow either get the validity interval displayed alt. get the certificate downloaded? Running ssh -vvv don't appear to display the info I need. Neither does ssh-keyscan appear to be certificate aware. Perhaps some library I haven't looked closely enough at?
Worst case I can always write a monitoring plugin which runs locally and parses the output of ssh-keygen -L -f. Still, a remote scan really feels like the preferable approach.
