Is there an easy way to validate that a certificate was signed by the cluster?

Hi,

Is there a good way to check that a client certificate was signed by the Teleport cluster? I’ve been wanting to use the certificates that tsh generates to do client sent certificate authentication on a number of services.

Thanks,
Hunter

Hey Hunter,

You can fetch the certificate authority’s certificate using tctl get ca and use it to validate x509 or SSH certificates.

If you tell us a bit more about your use case we can provide some examples

Hi Sasha,

My current use case is to provide access to a Postgres database via client certificates and would like to be able to reuse the ones that our users already have generated via Teleport.

Thanks,
Hunter

That’s an interesting use case and definitely something we’ve been having in mind when switching to x509, ping us if you’d need any help setting it up.