mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-15 19:17:02 +02:00
f4f0412b6a
* Convert documentation titles to sentense case * Docker, Google, Foundry, Cloud proper case
95 lines
3.2 KiB
Plaintext
95 lines
3.2 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: pki - Command
|
|
description: |-
|
|
The "pki" command groups subcommands for interacting with Vault's PKI
|
|
secrets engine.
|
|
---
|
|
|
|
# pki
|
|
|
|
The `pki` command groups subcommands for interacting with Vault's
|
|
[PKI Secrets Engine](/vault/docs/secrets/pki).
|
|
|
|
## Syntax
|
|
|
|
Option flags for a given subcommand are provided after the subcommand, but before the arguments.
|
|
|
|
## Example health check
|
|
|
|
To [health check](/vault/docs/commands/pki/health-check) a mount, use the
|
|
`vault pki health-check <mount>` command:
|
|
|
|
```
|
|
$ vault pki health-check pki
|
|
ca_validity_period
|
|
------------------
|
|
status endpoint message
|
|
------ -------- -------
|
|
ok /pki/issuer/da41ffb1-cc6d-5a5c-f147-e4d7beeb1b73 Issuer's validity (2032-12-17) is OK
|
|
|
|
... more output elided ...
|
|
```
|
|
|
|
## Example verify sign
|
|
|
|
To [verify](/vault/docs/commands/pki/verify-sign) the signature between two
|
|
issuer certificates, use the `vault pki verify-sign <parent> <child>` command:
|
|
|
|
```shell-session
|
|
$ vault pki verify-sign pki_root/issuer/root pki_int/issuer/FirstDepartment
|
|
issuer:pki_root/issuer/root
|
|
issued:pki_int/issuer/FirstDepartment
|
|
|
|
field value
|
|
----- -----
|
|
subject_match true
|
|
path_match true
|
|
trust_match true
|
|
key_id_match true
|
|
signature_match true
|
|
```
|
|
|
|
## Example list child issuers
|
|
|
|
To [list intermediate](/vault/docs/commands/pki/list-intermediates) certificates
|
|
potentially issued by a certificate inside vault, use the
|
|
`vault pki list-intermediates <parent>` command:
|
|
|
|
```shell-session
|
|
$ vault pki list-intermediates /pki_root/issuer/default
|
|
intermediate match?
|
|
------------ ------
|
|
pki_int_2/issuer/d4404ccc-3ad4-83a9-f5df-398637654b3b true
|
|
pki_int_2/issuer/db0b0a6c-6641-ac15-363a-4e5261315581 true
|
|
pki_root/issuer/9464c4fe-e8a6-d96a-0566-021575e7382c true
|
|
pki_int/issuer/2f958ec5-1838-336e-331b-07032379b958 true
|
|
pki_int/issuer/b8cc0b41-e0e9-1a92-12c4-6849c9d6f837 true
|
|
```
|
|
|
|
## Example issue
|
|
|
|
To [issue](/vault/docs/commands/pki/issue) a new issuer certificate, use the
|
|
`vault pki issue <parent-certificate-path> <mount>` command:
|
|
|
|
```shell-session
|
|
$ vault pki issue -issuer_name="FirstDepartment" /pki_root/issuer/default /pki_int/ common_name="first-department.example.com"
|
|
Key Value
|
|
--- -----
|
|
ca_chain [-----BEGIN CERTIFICATE-----
|
|
MIIDsDCCApigAwIBAgIULEPuHTW7UDtAQg+qcc18osNWgZIwDQYJKoZIhvcNAQEL...
|
|
```
|
|
|
|
## Example reissue
|
|
|
|
To [reissue](/vault/docs/commands/pki/reissue) an issuer certificate, using the
|
|
same fields as an existing issuer template, use the
|
|
`vault pki reissue <parent-certificate-path> <template> <mount>` command:
|
|
|
|
```shell-session
|
|
$ vault pki reissue -issuer_name="SecondDepartment" /pki_root/issuer/default /pki_int/issuer/FirstDepartment /pki_int_2/ common_name="second-department.example.com"
|
|
Key Value
|
|
--- -----
|
|
ca_chain [-----BEGIN CERTIFICATE-----
|
|
MIID0DCCArigAwIBAgIUdfRe05B5eRXsg3pvsJ/g94eYuWkwDQYJKoZIhvcNAQEL```
|