Step CA: Add Auto-Renew to Host certificates

In the previous post, I discussed how to set up SSH CA and use it to access remote hosts. In that, I briefly mentioned auto-renewal abilities. This is a crucial step to take as usual certificates by SmallStep only last for about a month. The renewal process is quite easy, just the following line.

step ssh renew -f /etc/ssh/ssh_host_ecdsa_key-cert.pub /etc/ssh/ssh_host_ecdsa_key

In order to simplify this process, I have written a simple bash script that checks the expiry date and renews if there are only 5 days left in the validity period.

This can be run regularly every day as a cron job or as a systemd timer.

#!/bin/bash
CERTIFICATE_FILE=/etc/ssh/ssh_host_ecdsa_key-cert.pub
KEY_FILE=/etc/ssh/ssh_host_ecdsa_key
NO_OF_DAYS_BEFORE_EXPIRY=5

EXPIRYDATE=$(step ssh inspect --format=json $CERTIFICATE_FILE | jq -r ".ValidBefore")
TIMESTAMP_IN_FUTURE=$(date --date "$NO_OF_DAYS_BEFORE_EXPIRY days" +%s)

EXPIRY_TIMESTAMP=$(date --date "$EXPIRYDATE" +'%s')
echo "The Certificate will expire at $EXPIRYDATE, TS=$EXPIRY_TIMESTAMP"
echo "$NO_OF_DAYS_BEFORE_EXPIRY days in future is $TIMESTAMP_IN_FUTURE"

if [[ $EXPIRY_TIMESTAMP < $TIMESTAMP_IN_FUTURE ]]
then
        echo "Need to renew"
        step ssh renew -f $CERTIFICATE_FILE $KEY_FILE
else
        echo "Renew later"
fi

Related Posts

Leave a Reply

%d bloggers like this: