--- layout: docs page_title: pki verify-sign - Command description: |- The "pki verify-sign" command verifies the relationship between two issuer certificates in vault --- > [!IMPORTANT] > **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website. # pki verify-sign This command verifies whether the listed issuer has signed the listed issued certificate. This command returns five fields of information: - `signature_match`: was the key of the issuer used to sign the issued. - `path_match`: the possible issuer appears in the valid certificate chain of the issued. - `key_id_match`: does the [key id](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1) of the issuer match the key_id of the subject. - `subject_match`: does the subject name of the issuer match the issuer subject of the issued. - `trust_match`: if someone trusted the parent issuer, is the chain provided sufficient to trust the child issued. ## Usage Usage: `vault pki verify-sign ` - `` is the fully name-spaced path to the issuer certificate which will be used to verify the `` certificate - `` is the fully name-spaced path to the potential child-certificate to be verified A fully namespaced path looks like, for instance, 'ns1/mount1/issuer/issuerName/json'. ## Example ```shell-session $ vault pki verify-sign pki_root/issuer/root pki_int/issuer/FirstDepartment issuer:pki_root/issuer/root issued:pki_int/issuer/FirstDepartment field value ----- ----- subject_match true path_match true trust_match true key_id_match true signature_match true ```