--- layout: docs page_title: pki list-intermediates - Command description: |- The "pki list-intermediates" command searches a mount, or set of mounts for child certificates. --- # pki list-intermediates This command determines which of a list of certificates were issued by a given parent certificate. ## Usage Usage: `vault pki list-intermediates [flags] [child] [child] [child...` Lists the set of intermediate CAs issued by this parent issuer. - `[flags]` listed below determine the type of match required between the `` and each potential child, and the type of output - `` is the certificate that might be the issuer which everything is verified against. - `[child]` is an optional path to a certificate to be compared to the ``, or pki mounts to look for certificates on. If `[child]` is omitted entirely, the list will be constructed from all accessible pki mounts. This returns a list of issuing certificates and whether they are a match. By default, the type of match required is whether the `` has the expected subject, [authority/subject key id match](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1), and could have (directly) signed this issuer. The match criteria can be updated by changed the corresponding flag. ### Flags - `-use_names` `(bool: "false")` - this determines how issuers are referred to in the output, whether by issuer_id (the default), or by their name, or status as default issuer (when use_names is true) The following flags determine what sorts of relationship between the parent and potential child issuers are considered a match. - `-subject_match` `(bool: "true")` - determines whether the subject of the parent-issuer must match the issuer of the potential child for this to be considered a match - `-key_id_match` `(bool: "true")` - determines whether the identifier of the parent-issuer must match the IUI of the potential child for this to be considered a match - `-direct_verify` `(bool: "true")` - determines whether it is required for this to be a match that someone trusting the parent certificate would trust the potential-child certificate (without any more information) - `-indirect-sign` `(bool: "true")` - determines whether it is required for this to be a match that if someone trusted the first certificate, they would trust the potential-child certificate (using the certificate chains available) - `-path_contains` `(bool: "false")` - determines whether it is required for this to be a match for the ca_chain of the potential child certificate to contain the parent certificate ### Accessed APIs Note that the vault user running this command will need to have access to the following API endpoints, each representing a step in the process: - `READ /:parent` - `LIST /sys/mounts` - when no `[child]` argument is provided, this is used to find a list of pki mounts - `LIST /:child_mount/issuers/` - when no `[child]` argument is provided, or the `[child]` argument is a mount rather than an issuer, this is used to find a list of pki issuers on the mount - `READ /:child` - each potential child issuer is read for comparison against the parent ## Examples ```shell-session $ vault pki list-intermediates /pki_root/issuer/default intermediate match? ------------ ------ pki_int_2/issuer/d4404ccc-3ad4-83a9-f5df-398637654b3b true pki_int_2/issuer/db0b0a6c-6641-ac15-363a-4e5261315581 true pki_root/issuer/9464c4fe-e8a6-d96a-0566-021575e7382c true pki_int/issuer/2f958ec5-1838-336e-331b-07032379b958 true pki_int/issuer/b8cc0b41-e0e9-1a92-12c4-6849c9d6f837 true ```