Is there an easy way to validate that a certificate was signed by the cluster?

#1

Hi,

Is there a good way to check that a client certificate was signed by the Teleport cluster? I’ve been wanting to use the certificates that tsh generates to do client sent certificate authentication on a number of services.

Thanks,
Hunter

0 Likes

#2

Hey Hunter,

You can fetch the certificate authority’s certificate using tctl get ca and use it to validate x509 or SSH certificates.

If you tell us a bit more about your use case we can provide some examples

0 Likes

#3

Hi Sasha,

My current use case is to provide access to a Postgres database via client certificates and would like to be able to reuse the ones that our users already have generated via Teleport.

Thanks,
Hunter

0 Likes

#4

That’s an interesting use case and definitely something we’ve been having in mind when switching to x509, ping us if you’d need any help setting it up.

0 Likes