mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-22 23:21:08 +02:00
Code Issues Projects Releases Wiki Activity
vault/website/content/docs/commands/pki/issue.mdx
Erica Thompson 0660ea6fac
Update README (#31244) 
* Update README

Let contributors know that docs will now be located in UDR

* Add comments to each mdx doc

Comment has been added to all mdx docs that are not partials

* chore: added changelog

changelog check failure

* wip: removed changelog

* Fix content errors

* Doc spacing

* Update website/content/docs/deploy/kubernetes/vso/helm.mdx

Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>

---------

Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com>
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2025-07-22 08:12:22 -07:00

76 lines
3.2 KiB
Plaintext
Raw Permalink Blame History

---
layout: docs
page_title: pki issue - Command
description: |-
The "pki issue" command issues a new intermediate ("issuer") certificate,
using a parent certificate in vault.
---
> [!IMPORTANT]
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
# pki issue
This command creates a intermediate certificate authority certificate signed by
the `<parent>` in the `<child_mount>`, using the options to determine the fields
on that certificate.
## Usage
Usage: `vault pki issue [flags] <parent> <child_mount> [options]`
- `[flags]` are optional arguments described below
- `<parent>` is the fully qualified path of the Certificate Authority in vault
which will issue the new intermediate certificate.
- `<child_mount>` is the path of the mount in vault where the new issuer is saved.
- `[options]` are the superset of the k=v options passed to generate-intermediate-csr
and sign-intermediate commands. At least one option must be set.
See [below](/vault/docs/commands/pki/issue#options).
### Flags
- `-type` `(string: "internal")` - This determines the type of key use for the
newly created certificate. Valid types are `"existing"` - where we link to
a key already present in the vault-backend to be used (and expect option
arguments `"key_ref"`) - `"internal"` - to generate a new key for this
certificate - or `"kms"` - to link to an external key. Exported keys are not
available through this API.
- `-issuer_name` `(string: "")` - If present, the newly created issuer will be
given this name.
### Options
Other than `type` (which is passed as a flag, see above), this command accepts
all options provided to the
[Generate CSR](/vault/api-docs/secret/pki#generate-intermediate-csr) and
[Sign Intermediate](/vault/api-docs/secret/pki#sign-intermediate) endpoints.
### Accessed APIs
Note that the vault user running this command will need to have access to the
following API endpoints, each representing a step in the process:
- `READ /:parent` - used to check validity
- `WRITE /:child_mount/intermediate/generate/:type` - used to generate the csr
- `WRITE /:parent/sign-intermediate` - used to sign the csr
- `WRITE /:child_mount/issuers/import/cert` - used to import the new issuer,
and the issuer chain
- `UPDATE /:child_mount/issuer/:issuer_refs` - used to both name the new
issuer, and also set the name of the parent in the issuer chain
- `READ /:child_mount/issuer/:new_issuer_ref` - used to verify completion,
generate the output
## Examples
```shell-session
$ vault pki issue -issuer_name="FirstDepartment" /pki_root/issuer/default /pki_int/ common_name="first-department.example.com"
Key Value
--- -----
ca_chain [-----BEGIN CERTIFICATE-----
MIIDsDCCApigAwIBAgIULEPuHTW7UDtAQg+qcc18osNWgZIwDQYJKoZIhvcNAQEL...
```
Reference in New Issue View Git Blame Copy Permalink