In the previous post, I discussed how to set up SSH CA and use it to access remote hosts. In that, I briefly mentioned auto-renewal abilities. This is a crucial step to take as usual certificates by SmallStep only last for about a month. The renewal process is quite easy, just the following line.
step ssh renew -f /etc/ssh/ssh_host_ecdsa_key-cert.pub /etc/ssh/ssh_host_ecdsa_keyIn order to simplify this process, I have written a simple bash script that checks the expiry date and renews if there are only 5 days left in the validity period.
This can be run regularly every day as a cron job or as a systemd timer.
#!/bin/bash
CERTIFICATE_FILE=/etc/ssh/ssh_host_ecdsa_key-cert.pub
KEY_FILE=/etc/ssh/ssh_host_ecdsa_key
NO_OF_DAYS_BEFORE_EXPIRY=5
EXPIRYDATE=$(step ssh inspect --format=json $CERTIFICATE_FILE | jq -r ".ValidBefore")
TIMESTAMP_IN_FUTURE=$(date --date "$NO_OF_DAYS_BEFORE_EXPIRY days" +%s)
EXPIRY_TIMESTAMP=$(date --date "$EXPIRYDATE" +'%s')
echo "The Certificate will expire at $EXPIRYDATE, TS=$EXPIRY_TIMESTAMP"
echo "$NO_OF_DAYS_BEFORE_EXPIRY days in future is $TIMESTAMP_IN_FUTURE"
if [[ $EXPIRY_TIMESTAMP < $TIMESTAMP_IN_FUTURE ]]
then
echo "Need to renew"
step ssh renew -f $CERTIFICATE_FILE $KEY_FILE
else
echo "Renew later"
fi