# vhsm pki health-check Verifies the health of the given PKI secrets engine mount against an optional configuration. Mounts should be specified with any namespaces prefixed in the path, for example, `ns1/pki`. ### Options | Option | Description | | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | | `-default-disabled` | Disables all health checks by default unless explicitly enabled by the configuration file. Default is `false`. | | `-health-config=` | Path to a JSON configuration file to modify health check execution and parameters. | | `-list` | Displays the list of health checks and known configuration values without running them. Requires a positional mount argument. Default is `false`. | | `-return-indicator=` | Determines the exit code behavior: `permission`, `critical`, `warning`, `informational`, or `default`. Default is `default`. | ### Exit Codes | Code | Meaning | | ---- | ------------------------------------------------------ | | `0` | Everything is good. | | `1` | Usage error (invalid CLI parameters). | | `2` | Informational message from a health check. | | `3` | Warning message from a health check. | | `4` | Critical message from a health check. | | `5` | Version mismatch between health check and vHSM Server. | | `6` | Permission denied from vHSM Server. | ### Health Checks | Name | Description | | -------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | | [`ca_validity_period`](/virtual-hsm/troubleshooting/ca-validity-period.md) | Checks if CA certificates are expiring soon. | | [`crl_validity_period`](/virtual-hsm/troubleshooting/crl-validity-period.md) | Verifies if CRLs are close to expiration. | | [`root_issued_leaves`](/virtual-hsm/troubleshooting/root-certificate-issued-non-ca-leaves.md) | Ensures leaf certificates are issued from intermediate CAs, not directly from root. | | [`role_allows_localhost`](/virtual-hsm/troubleshooting/role-allows-implicit-localhost-issuance.md) | Detects roles that allow issuance for `localhost`. | | [`role_allows_glob_wildcards`](/virtual-hsm/troubleshooting/role-allows-glob-based-wildcard-issuance.md) | Identifies roles allowing wildcard issuance with glob domains. | | [`role_no_store_false`](/virtual-hsm/troubleshooting/performance-impact.md) | Checks if `no_store` is set to `false`, impacting performance. | | [`audit_visibility`](/virtual-hsm/troubleshooting/accessibility-of-audit-information.md) | Ensures audit information is accessible to log consumers. | | [`allow_if_modified_since`](/virtual-hsm/troubleshooting/allow-if-modified-since-requests.md) | Checks if `If-Modified-Since` and `Last-Modified` headers are configured. | | [`enable_auto_tidy`](/virtual-hsm/troubleshooting/auto-tidy-disabled.md) | Ensures auto-tidy is enabled with recommended defaults. | | [`tidy_last_run`](/virtual-hsm/troubleshooting/tidy-hasnt-run.md) | Checks if the `tidy` operation has run within the expected timeframe. | | [`too_many_certs`](/virtual-hsm/troubleshooting/too-many-certificates.md) | too\_many\_certs | | [`enable_acme_issuance`](/virtual-hsm/troubleshooting/enable-acme-issuance.md) | Ensures ACME is enabled on mounts with an intermediary issuer to support automated certificate issuance and rotation. | | [`allow_acme_headers`](/virtual-hsm/troubleshooting/acme-response-headers-configuration.md) | Verifies that required ACME protocol headers (`Replay-Nonce`, `Link`, `Location`) are properly configured on the mount. | ### Example Example 1: Perform a basic health check ``` vhsm pki health-check pki-root/ ``` Example 2: Specify a configuration file ``` vhsm pki health-check -health-config=mycorp-root.json pki-root/ ``` Example 3: List available health checks ``` vhsm pki health-check -list pki-root/ ``` #### Additional Information For more information about the neccesary actions that you need to perform based on the status of the health check, see [Recommended Actions](broken://pages/vkwTcflucK7qwpADOrfp). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.enclaive.cloud/virtual-hsm/cli/security-and-encryption/vhsm-pki/vhsm-pki-health-check.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.