mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-16 03:27:01 +02:00
262b0434df
* Add pki-cli docs. * Tiny updates. * Whitespace fix, include description * Closing-tags. * Update website/content/docs/commands/pki/verify-sign.mdx Title Code as Shell Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> * Update website/content/docs/commands/pki/reissue.mdx Title More Code as Shell Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> * Update website/content/docs/commands/pki/list-intermediates.mdx Title code block as shell Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> * Update website/content/docs/commands/pki/issue.mdx Title code-block as shell Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> * Apply suggestions from code review Label Code-Blocks as Shell-Session Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> * Apply suggestions from code review Comma and Period Changes. Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com> * Apply suggestions from code review ascheels highlighting-1 Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com> * Fix highlighting throughout. * Update website/content/docs/commands/pki/list-intermediates.mdx Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com> * Update website/content/docs/commands/pki/reissue.mdx Clarifying note on why unknown fields might be there. Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com> * Update website/content/docs/commands/pki/reissue.mdx cipherboy request Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add Key-ID RFC link. * k=v add link * correct link --------- Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
89 lines
3.8 KiB
Plaintext
89 lines
3.8 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: pki reissue - Command
|
|
description: |-
|
|
The "pki reissue" command issues a new intermediate ("issuer") certificate,
|
|
using an existing certificate in vault as a template, and using a parent
|
|
certificate in vault to issue the new certificate.
|
|
---
|
|
|
|
# pki reissue
|
|
|
|
Frequently, a reissued CA certificate is to be very similar to another.
|
|
This command enables reissuing a CA, using an existing issuer within
|
|
Vault as a template, but allowing modifications to the desired attributes.
|
|
|
|
## Usage
|
|
|
|
Usage: `vault pki reissue [flags] <parent> <template> <child_mount> [options]`
|
|
|
|
- `[flags]` are optional arguments described below.
|
|
|
|
- `<parent>` is the fully qualified path of the Certificate Authority in vault
|
|
which will issue the new intermediate certificate.
|
|
|
|
- `<template>` is the fully qualified path of an intermediate certificate in vault
|
|
which will be used to populate certificate fields not overridden by `[options]`.
|
|
|
|
~> **Note**: not all possible certificate fields are supported by Vault, and
|
|
this template reader covers only those vault generates as a best effort. If
|
|
unknown fields are set, such as when an external CA was imported into Vault,
|
|
there may not be a warning that those are missing from the new issuer.
|
|
|
|
- `<child_mount>` is the path of the mount in vault where the new issuer is saved.
|
|
|
|
- `[options]` are the superset of the k=v options passed to generate/intermediate
|
|
and sign-intermediate commands. See [below](/vault/docs/commands/pki/reissue#options).
|
|
|
|
The output of this command when it is successful is to read the resulting new
|
|
issuer entry.
|
|
|
|
### Flags
|
|
|
|
- `-type` `(string: "internal")` - This determines the type of key use for the
|
|
newly created certificate. Valid types are `"existing"` - where we link to
|
|
a key already present in the vault-backend to be used - `"internal"` - to
|
|
generate a new key for this certificate - or `"kms"` - to link to an external
|
|
key. Exported keys are not available through this API.
|
|
|
|
~> **Note**: It is only possible to generate a new certificate with an existing
|
|
key that exists in the same mount where that key-material exists. This
|
|
command is expected to fail should the template exist on a different mount,
|
|
`existing` is the selected type, and no `key_ref` for a key in the new issuer
|
|
mount is provided.
|
|
|
|
- `-issuer_name` `(string: "")` - If present, the newly created issuer will be
|
|
given this name.
|
|
|
|
### Options
|
|
|
|
Other than `type` (which is passed as a flag, see above), this command accepts
|
|
all options provided to the
|
|
[Generate CSR](/vault/api-docs/secret/pki#generate-intermediate-csr) and
|
|
[Sign Intermediate](/vault/api-docs/secret/pki#sign-intermediate) endpoints.
|
|
|
|
### Accessed APIs
|
|
|
|
Note that the vault user running this command will need to have access to the
|
|
following API endpoints, each representing a step in the process:
|
|
|
|
- `READ /:parent` - used to check validity
|
|
- `READ /:template` - used to generate the options for the new certificate
|
|
- `WRITE /:child_mount/intermediate/generate/:type` - used to generate the csr
|
|
- `WRITE /:parent/sign-intermediate` - used to sign the csr
|
|
- `WRITE /:child_mount/issuers/import/cert` - used to import the new issuer,
|
|
and the issuer chain
|
|
- `UPDATE /:child_mount/issuer/:issuer_refs` - used to both name the new
|
|
issuer, and also set the name of the parent in the issuer chain
|
|
- `READ /:child_mount/issuer/:new_issuer_ref` - used to verify completion,
|
|
generate the output
|
|
|
|
## Examples
|
|
|
|
```shell-session
|
|
$ vault pki reissue -issuer_name="SecondDepartment" /pki_root/issuer/default /pki_int/issuer/FirstDepartment /pki_int_2/ common_name="second-department.example.com"
|
|
Key Value
|
|
--- -----
|
|
ca_chain [-----BEGIN CERTIFICATE-----
|
|
MIID0DCCArigAwIBAgIUdfRe05B5eRXsg3pvsJ/g94eYuWkwDQYJKoZIhvcNAQEL```
|