# vhsm pki verify-sign

The `vhsm pki verify-sign` command verifies whether the listed issuer has signed the listed issued certificate.

### Usage

```sh
vhsm pki verify-sign <parent> <child>
```

* `<parent>`: The fully name-spaced path to the issuer certificate used to verify the `<child>` certificate.
* `<child>`: The fully name-spaced path to the potential child certificate to be verified.

A fully namespaced path looks like:

```
ns1/mount1/issuer/issuerName/json
```

### Output fields

| Field             | Description                                                                                                                    |
| ----------------- | ------------------------------------------------------------------------------------------------------------------------------ |
| `signature_match` | Indicates if the key of the issuer was used to sign the issued certificate.                                                    |
| `path_match`      | Checks if the possible issuer appears in the valid certificate chain of the issued certificate.                                |
| `key_id_match`    | Verifies if the key ID of the issuer matches the key ID of the subject.                                                        |
| `subject_match`   | Determines if the subject name of the issuer matches the issuer subject of the issued certificate.                             |
| `trust_match`     | If someone trusted the parent issuer, verifies whether the provided chain is sufficient to trust the child issued certificate. |

### Example

```sh
vhsm pki verify-sign pki_root/issuer/root pki_int/issuer/FirstDepartment
```

**Output**

```
issuer:pki_root/issuer/root
issued:pki_int/issuer/FirstDepartment

field              value
-----              -----
subject_match      true
path_match         true
trust_match        true
key_id_match       true
signature_match    true
```

***


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.enclaive.cloud/virtual-hsm/cli/security-and-encryption/vhsm-pki/vhsm-pki-verify-sign.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.