# vhsm pki list-intermediates The `pki list-intermediates` command determines which certificates from a given list were issued by a specified parent certificate. ### Usage ```sh vhsm pki list-intermediates [flags] [child] [child] [child...] ``` * ``: The certificate used as the issuer against which everything is verified. * `[child]` (optional): A path to a certificate to be compared to ``, or PKI mounts to search for certificates. If omitted, all accessible PKI mounts are used to construct the list. This command returns a list of issuing certificates and whether they match the parent based on predefined criteria. By default, the match is determined by subject name, authority key ID, subject key ID, and the ability of the parent to have directly signed the issuer. ### Flags The following flags control the match criteria and output format: #### Output Formatting | Flag | Default | Description | | ------------ | ------- | ----------------------------------------------------------------------------------------------------------------------------------------- | | `-use_names` | `false` | Determines how issuers are referred to in the output: by `issuer_id` (default) or by their name/status as the default issuer (if `true`). | #### Match Criteria | Flag | Default | Description | | ---------------- | ------- | ---------------------------------------------------------------------------------------------------------------------- | | `-subject_match` | `true` | Requires the subject of the parent issuer to match the issuer of the potential child. | | `-key_id_match` | `true` | Requires the key ID of the parent issuer to match the key ID of the potential child. | | `-direct_verify` | `true` | Requires that a trust relationship exists between the parent and child certificates without additional information. | | `-indirect_sign` | `true` | Requires that if the parent is trusted, the child certificate must also be trusted using available certificate chains. | | `-path_contains` | `false` | Requires the CA chain of the child certificate to contain the parent certificate for a match. | ### Required API Access To run this command, the vHSM user must have access to the following API endpoints: | API Endpoint | Purpose | | ----------------------------- | --------------------------------------------------------------------- | | `READ /:parent` | Reads the parent certificate for verification. | | `LIST /sys/mounts` | Retrieves a list of PKI mounts if no `[child]` argument is provided. | | `LIST /:child_mount/issuers/` | Finds PKI issuers on a mount when `[child]` is omitted or is a mount. | | `READ /:child` | Reads each potential child issuer for comparison against the parent. | ### Example ```sh vhsm pki list-intermediates /pki_root/issuer/default ``` **Output** ``` intermediate match? ------------ ------ pki_int_2/issuer/d4404ccc-3ad4-83a9-f5df-398637654b3b true pki_int_2/issuer/db0b0a6c-6641-ac15-363a-4e5261315581 true pki_root/issuer/9464c4fe-e8a6-d96a-0566-021575e7382c true pki_int/issuer/2f958ec5-1838-336e-331b-07032379b958 true pki_int/issuer/b8cc0b41-e0e9-1a92-12c4-6849c9d6f837 true ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.enclaive.cloud/virtual-hsm/cli/security-and-encryption/vhsm-pki/vhsm-pki-list-intermediates.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.