Q&A: How can I verify SSO certificate of all sso servers

Knowledge Base Community
, , , ,
#1

Question

All systems that provide SSO must have the very same certificate. How can I check the local certificates?

Answer

You have to check the ucs-sso certificate on every system that provides SSO and compare it with each other. On the Master you can easily access all other UCS systems, retrieve the certificate and print the needed information to compare them.

#!/bin/bash

for ip in $( host ucs-sso.$(dnsdomainname) | awk '{print $4}' ); do
	for h in $( host $ip | sed -ne 's/.* //;s/.$//p'); do
		echo "Checking Host: '$h'"
		ssh -q $h -o StrictHostKeyChecking=no \
			openssl x509 -in /etc/univention/ssl/ucs-sso.$(dnsdomainname)/cert.pem -noout -text | \
			grep -Ei -A1 "(Version:|Key Identifier:)"
	done
done
Mastodon