The ssh-keyscan command can be used to get public certificates from an SSH server. In this example, the public certificates from SSH server server1.example.com will be obtained.
The prior command should produce output like this. Notice there are two keys, one is the ECDSA key, and the other is the SSH key.
server1.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHXIAfxTJu1y7QdQNrk6xh41FH1fqIVbG2Skvhx49PDfvm5pCdiyHqPP0pcyM7UGJOAPazKNENGZtqmnH8CUDo0= server1.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMwKQuwRNdPMrcw6keHLMiVwPJWvy0XVqaybWxqQQ5ll
If you want to get a certain type of key, the -t option can be used.
ssh-keyscan -t ecdsa server1.example.com
Often, this command is used to append the public certificates from an SSH server to your known_hosts file, so that are not presented with the following message when attempting to make an SSH connection to the SSH server.
~]# ssh email@example.com The authenticity of host 'server1 (192.168.0.5)' can't be established DSA key fingerprint is BB37 83F2 5E3A 7A4C 6C84 F047 D97B DD4E 38BB 2082 Are you sure you want to continue connecting (yes/no)?
When the objective is to append the public certificates from an SSH server to your known_hosts file, redirection can be used to perform this task, like this.
ssh-keyscan server1.example.com >> $HOME/.ssh/known_hosts