---
layout: docs
page_title: pki - Command
description: |-
  The "pki" command groups subcommands for interacting with Vault's PKI
  secrets engine.
---

# pki

The `pki` command groups subcommands for interacting with Vault's
[PKI Secrets Engine](/vault/docs/secrets/pki).

## Syntax

Option flags for a given subcommand are provided after the subcommand, but before the arguments.

## Example health check

To [health check](/vault/docs/commands/pki/health-check) a mount, use the
`vault pki health-check <mount>` command:

```
$ vault pki health-check pki
ca_validity_period
------------------
status    endpoint                                            message
------    --------                                            -------
ok        /pki/issuer/da41ffb1-cc6d-5a5c-f147-e4d7beeb1b73    Issuer's validity (2032-12-17) is OK

... more output elided ...
```

## Example verify sign

To [verify](/vault/docs/commands/pki/verify-sign) the signature between two
issuer certificates, use the `vault pki verify-sign <parent> <child>` command:

```shell-session
$ vault pki verify-sign pki_root/issuer/root pki_int/issuer/FirstDepartment
issuer:pki_root/issuer/root
issued:pki_int/issuer/FirstDepartment

field              value
-----              -----
subject_match      true
path_match         true
trust_match        true
key_id_match       true
signature_match    true
```

## Example list child issuers

To [list intermediate](/vault/docs/commands/pki/list-intermediates) certificates
potentially issued by a certificate inside vault, use the
`vault pki list-intermediates <parent>` command:

```shell-session
$ vault pki list-intermediates /pki_root/issuer/default
intermediate                                             match?
------------                                             ------
pki_int_2/issuer/d4404ccc-3ad4-83a9-f5df-398637654b3b    true
pki_int_2/issuer/db0b0a6c-6641-ac15-363a-4e5261315581    true
pki_root/issuer/9464c4fe-e8a6-d96a-0566-021575e7382c     true
pki_int/issuer/2f958ec5-1838-336e-331b-07032379b958      true
pki_int/issuer/b8cc0b41-e0e9-1a92-12c4-6849c9d6f837      true
```

## Example issue

To [issue](/vault/docs/commands/pki/issue) a new issuer certificate, use the
`vault pki issue <parent-certificate-path> <mount>` command:

```shell-session
$ vault pki issue -issuer_name="FirstDepartment" /pki_root/issuer/default /pki_int/ common_name="first-department.example.com"
Key                               Value
---                               -----
ca_chain                          [-----BEGIN CERTIFICATE-----
MIIDsDCCApigAwIBAgIULEPuHTW7UDtAQg+qcc18osNWgZIwDQYJKoZIhvcNAQEL...
```

## Example reissue

To [reissue](/vault/docs/commands/pki/reissue) an issuer certificate, using the
same fields as an existing issuer template, use the
`vault pki reissue <parent-certificate-path> <template> <mount>` command:

```shell-session
$ vault pki reissue -issuer_name="SecondDepartment" /pki_root/issuer/default /pki_int/issuer/FirstDepartment /pki_int_2/ common_name="second-department.example.com"
Key                               Value
---                               -----
ca_chain                          [-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIUdfRe05B5eRXsg3pvsJ/g94eYuWkwDQYJKoZIhvcNAQEL```