# vhsm pki issue The `vhsm pki issue` command creates an intermediate certificate authority (CA) certificate signed by the `` CA and stores it in the ``. The available options define the fields of the newly created certificate. ### Usage ```sh vhsm pki issue [flags] [options] ``` * ``: The fully qualified path of the Certificate Authority (CA) in vHSM that will issue the new intermediate certificate. * ``: The path of the mount in vHSM where the new issuer will be stored. * `[flags]`: Optional arguments described below. * `[options]`: A set of `key=value` options that control certificate generation. These options correspond to parameters used in `generate-intermediate-csr` and `sign-intermediate`. At least one option must be provided. ### Flags | Flag | Default | Description | | -------------- | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-type` | `"internal"` | Determines the key type for the newly created certificate. Possible values: `"existing"` (link to an existing key in the vHSM backend, requires `key_ref`), `"internal"` (generate a new key), or `"kms"` (use an external key). Exported keys are not available through this API. | | `-issuer_name` | `""` (empty) | Specifies a name for the newly created issuer. | ### Options In addition to `-type`, this command accepts all options supported by the **Generate CSR** and **Sign Intermediate** API endpoints. These options define the properties of the issued certificate. ### Required API Access To execute this command, the vHSM user must have permissions for the following API endpoints: | API Endpoint | Purpose | | ------------------------------------------------- | ------------------------------------------------------------------------- | | `READ /:parent` | Validates the parent certificate. | | `WRITE /:child_mount/intermediate/generate/:type` | Generates the Certificate Signing Request (CSR). | | `WRITE /:parent/sign-intermediate` | Signs the CSR. | | `WRITE /:child_mount/issuers/import/cert` | Imports the new issuer and issuer chain. | | `UPDATE /:child_mount/issuer/:issuer_refs` | Assigns a name to the new issuer and sets its parent in the issuer chain. | | `READ /:child_mount/issuer/:new_issuer_ref` | Verifies completion and generates the output. | ### Example ```sh vhsm pki issue -issuer_name="FirstDepartment" /pki_root/issuer/default /pki_int/ common_name="first-department.example.com" ``` **Output** ``` Key Value --- ----- ca_chain [-----BEGIN CERTIFICATE----- MIIDsDCCApigAwIBAgIULEPuHTW7UDtAQg+qcc18osNWgZIwDQYJKoZIhvcNAQEL... ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.enclaive.cloud/virtual-hsm/cli/security-and-encryption/vhsm-pki/vhsm-pki-issue.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.