mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-16 11:37:04 +02:00
262b0434df
* Add pki-cli docs. * Tiny updates. * Whitespace fix, include description * Closing-tags. * Update website/content/docs/commands/pki/verify-sign.mdx Title Code as Shell Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> * Update website/content/docs/commands/pki/reissue.mdx Title More Code as Shell Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> * Update website/content/docs/commands/pki/list-intermediates.mdx Title code block as shell Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> * Update website/content/docs/commands/pki/issue.mdx Title code-block as shell Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> * Apply suggestions from code review Label Code-Blocks as Shell-Session Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> * Apply suggestions from code review Comma and Period Changes. Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com> * Apply suggestions from code review ascheels highlighting-1 Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com> * Fix highlighting throughout. * Update website/content/docs/commands/pki/list-intermediates.mdx Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com> * Update website/content/docs/commands/pki/reissue.mdx Clarifying note on why unknown fields might be there. Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com> * Update website/content/docs/commands/pki/reissue.mdx cipherboy request Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add Key-ID RFC link. * k=v add link * correct link --------- Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
90 lines
3.6 KiB
Plaintext
90 lines
3.6 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: pki list-intermediates - Command
|
|
description: |-
|
|
The "pki list-intermediates" command searches a mount, or set of mounts for
|
|
child certificates.
|
|
---
|
|
|
|
# pki list-intermediates
|
|
|
|
This command determines which of a list of certificates were issued by a given
|
|
parent certificate.
|
|
|
|
## Usage
|
|
|
|
Usage: `vault pki list-intermediates [flags] <parent> [child] [child] [child...`
|
|
|
|
Lists the set of intermediate CAs issued by this parent issuer.
|
|
|
|
- `[flags]` listed below determine the type of match required between the `<parent>`
|
|
and each potential child, and the type of output
|
|
|
|
- `<parent>` is the certificate that might be the issuer which everything is
|
|
verified against.
|
|
|
|
- `[child]` is an optional path to a certificate to be compared to the `<parent>`,
|
|
or pki mounts to look for certificates on. If `[child]` is omitted entirely, the
|
|
list will be constructed from all accessible pki mounts.
|
|
|
|
This returns a list of issuing certificates and whether they are a match.
|
|
By default, the type of match required is whether the `<parent>` has the
|
|
expected subject, [authority/subject key id match](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1), and could have (directly) signed this issuer.
|
|
The match criteria can be updated by changed the corresponding flag.
|
|
|
|
### Flags
|
|
|
|
- `-use_names` `(bool: "false")` - this determines how issuers are referred to
|
|
in the output, whether by issuer_id (the default), or by their name, or status
|
|
as default issuer (when use_names is true)
|
|
|
|
The following flags determine what sorts of relationship between the parent and
|
|
potential child issuers are considered a match.
|
|
|
|
- `-subject_match` `(bool: "true")` - determines whether the subject of the
|
|
parent-issuer must match the issuer of the potential child for this to be
|
|
considered a match
|
|
|
|
- `-key_id_match` `(bool: "true")` - determines whether the identifier of the
|
|
parent-issuer must match the IUI of the potential child for this to be
|
|
considered a match
|
|
|
|
- `-direct_verify` `(bool: "true")` - determines whether it is required for this
|
|
to be a match that someone trusting the parent certificate would trust the
|
|
potential-child certificate (without any more information)
|
|
|
|
- `-indirect-sign` `(bool: "true")` - determines whether it is required for this
|
|
to be a match that if someone trusted the first certificate, they would trust
|
|
the potential-child certificate (using the certificate chains available)
|
|
|
|
- `-path_contains` `(bool: "false")` - determines whether it is required for
|
|
this to be a match for the ca_chain of the potential child certificate to
|
|
contain the parent certificate
|
|
|
|
### Accessed APIs
|
|
|
|
Note that the vault user running this command will need to have access to the
|
|
following API endpoints, each representing a step in the process:
|
|
|
|
- `READ /:parent`
|
|
- `LIST /sys/mounts` - when no `[child]` argument is provided, this is used to
|
|
find a list of pki mounts
|
|
- `LIST /:child_mount/issuers/` - when no `[child]` argument is provided, or the
|
|
`[child]` argument is a mount rather than an issuer, this is used to find a list
|
|
of pki issuers on the mount
|
|
- `READ /:child` - each potential child issuer is read for comparison against
|
|
the parent
|
|
|
|
## Examples
|
|
|
|
```shell-session
|
|
$ vault pki list-intermediates /pki_root/issuer/default
|
|
intermediate match?
|
|
------------ ------
|
|
pki_int_2/issuer/d4404ccc-3ad4-83a9-f5df-398637654b3b true
|
|
pki_int_2/issuer/db0b0a6c-6641-ac15-363a-4e5261315581 true
|
|
pki_root/issuer/9464c4fe-e8a6-d96a-0566-021575e7382c true
|
|
pki_int/issuer/2f958ec5-1838-336e-331b-07032379b958 true
|
|
pki_int/issuer/b8cc0b41-e0e9-1a92-12c4-6849c9d6f837 true
|
|
```
|