mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-22 23:21:08 +02:00
0660ea6fac
* Update README Let contributors know that docs will now be located in UDR * Add comments to each mdx doc Comment has been added to all mdx docs that are not partials * chore: added changelog changelog check failure * wip: removed changelog * Fix content errors * Doc spacing * Update website/content/docs/deploy/kubernetes/vso/helm.mdx Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> --------- Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
60 lines
2.0 KiB
Plaintext
60 lines
2.0 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: pki verify-sign - Command
|
|
description: |-
|
|
The "pki verify-sign" command verifies the relationship between two issuer
|
|
certificates in vault
|
|
---
|
|
|
|
> [!IMPORTANT]
|
|
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
|
|
|
|
# pki verify-sign
|
|
|
|
This command verifies whether the listed issuer has signed the listed issued
|
|
certificate.
|
|
|
|
This command returns five fields of information:
|
|
|
|
- `signature_match`: was the key of the issuer used to sign the issued.
|
|
|
|
- `path_match`: the possible issuer appears in the valid certificate chain
|
|
of the issued.
|
|
|
|
- `key_id_match`: does the [key id](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1)
|
|
of the issuer match the key_id of the subject.
|
|
|
|
- `subject_match`: does the subject name of the issuer match the issuer
|
|
subject of the issued.
|
|
|
|
- `trust_match`: if someone trusted the parent issuer, is the chain
|
|
provided sufficient to trust the child issued.
|
|
|
|
## Usage
|
|
|
|
Usage: `vault pki verify-sign <parent> <child>`
|
|
|
|
- `<parent>` is the fully name-spaced path to the issuer certificate which will be
|
|
used to verify the `<child>` certificate
|
|
|
|
- `<child>` is the fully name-spaced path to the potential child-certificate to be
|
|
verified
|
|
|
|
A fully namespaced path looks like, for instance, 'ns1/mount1/issuer/issuerName/json'.
|
|
|
|
## Example
|
|
|
|
```shell-session
|
|
$ vault pki verify-sign pki_root/issuer/root pki_int/issuer/FirstDepartment
|
|
issuer:pki_root/issuer/root
|
|
issued:pki_int/issuer/FirstDepartment
|
|
|
|
field value
|
|
----- -----
|
|
subject_match true
|
|
path_match true
|
|
trust_match true
|
|
key_id_match true
|
|
signature_match true
|
|
```
|