# vhsm pki reissue

The `vhsm pki reissue` command allows reissuing a Certificate Authority (CA) certificate using an existing issuer as a template. This simplifies the process by pre-populating certificate fields from a specified template while allowing modifications as needed.

### Usage

```sh
vhsm pki reissue [flags] <parent> <template> <child_mount> [options]
```

* `<parent>`: The fully qualified path of the CA in vHSM that will issue the new intermediate certificate.
* `<template>`: The fully qualified path of an intermediate certificate in vHSM that serves as a template for the new certificate. Fields not overridden by `[options]` will be copied from this template.

  > **Note:** Not all certificate fields are supported by vHSM. If an external CA was imported into vHSM, some fields may not be retained, and no warning will be provided.
* `<child_mount>`: The vHSM mount path where the new issuer will be stored.
* `[flags]`: Optional arguments described below.
* `[options]`: A set of `key=value` options that define certificate attributes. These options correspond to those used in `generate-intermediate-csr` and `sign-intermediate`.

Upon successful execution, this command outputs the details of the newly created issuer.

### Flags

| Flag           | Default      | Description                                                                                                                                                                                                                                     |
| -------------- | ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `-type`        | `"internal"` | Specifies the key type for the new certificate. Possible values: `"existing"` (link to an existing key in the vHSM backend), `"internal"` (generate a new key), or `"kms"` (use an external key). Exported keys are not available via this API. |
| `-issuer_name` | `""` (empty) | Assigns a name to the newly created issuer.                                                                                                                                                                                                     |

{% hint style="info" %}
**Note:**\
When using an existing key (`-type=existing`), the key material must exist in the same mount where the new certificate is being created. If the template resides on a different mount and no `key_ref` is provided for a key in the new issuer’s mount, the command will fail.
{% endhint %}

### Options

In addition to `-type`, this command accepts all options supported by the **Generate CSR** and **Sign Intermediate** API endpoints. These options define the certificate’s attributes.

### Required API Access

To execute this command, the vHSM user must have permissions for the following API endpoints:

| API Endpoint                                      | Purpose                                                                    |
| ------------------------------------------------- | -------------------------------------------------------------------------- |
| `READ /:parent`                                   | Validates the parent certificate.                                          |
| `READ /:template`                                 | Extracts template values for the new certificate.                          |
| `WRITE /:child_mount/intermediate/generate/:type` | Generates the Certificate Signing Request (CSR).                           |
| `WRITE /:parent/sign-intermediate`                | Signs the CSR.                                                             |
| `WRITE /:child_mount/issuers/import/cert`         | Imports the new issuer and issuer chain.                                   |
| `UPDATE /:child_mount/issuer/:issuer_refs`        | Assigns a name to the new issuer and links the parent in the issuer chain. |
| `READ /:child_mount/issuer/:new_issuer_ref`       | Verifies completion and generates the output.                              |

### Example

```sh
vhsm pki reissue -issuer_name="SecondDepartment" /pki_root/issuer/default /pki_int/issuer/FirstDepartment /pki_int_2/ common_name="second-department.example.com"
```

**Output**

```
Key                               Value
---                               -----
ca_chain                          [-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIUdfRe05B5eRXsg3pvsJ/g94eYuWkwDQYJKoZIhvcNAQEL...
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.enclaive.cloud/virtual-hsm/cli/security-and-encryption/vhsm-pki/vhsm-pki-reissue.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.