Verify that an SSH command has not been embedded in a certificate?

From man 8 sshd with regards to the Authorized Keys File Format and the command="command" option:

Note that this command may be superseded by either an sshd_config(5) ForceCommand directive or a command embedded in a certificate.

Using ssh-keygen -O force-command="command" allows a command to be embedded in a certificate. But how does one verify that a command has not been embedded in a certificate? Along these same lines of preventing unexpected commands from being executed, does ForceCommand always override a command embedded in a certificate?

Can a malicious user bypass a ssh authorized_keys forced command? asks a more general question about security but currently the answers there do not mention commands embedded in certificates.


The ssh-keygen man page says

-O option

        Specify a certificate option when signing a key.

The -O force-command=command option relates to certificates not keys.

You will need to generate a certificate by signing a key, then you should be able to decode the certificate and see the embedded command.