vhsm pki health-check

-default-disabled

Disables all health checks by default unless explicitly enabled by the configuration file. Default is false.

-health-config=<path>

Path to a JSON configuration file to modify health check execution and parameters.

-list

Displays the list of health checks and known configuration values without running them. Requires a positional mount argument. Default is false.

-return-indicator=<value>

Determines the exit code behavior: permission, critical, warning, informational, or default. Default is default.

0

Everything is good.

1

Usage error (invalid CLI parameters).

2

Informational message from a health check.

3

Warning message from a health check.

4

Critical message from a health check.

5

Version mismatch between health check and vHSM Server.

6

Permission denied from vHSM Server.

ca_validity_period

Checks if CA certificates are expiring soon.

crl_validity_period

Verifies if CRLs are close to expiration.

hardware_backed_root

Checks if root CAs are backed by hardware security modules.

root_issued_leaves

Ensures leaf certificates are issued from intermediate CAs, not directly from root.

role_allows_localhost

Detects roles that allow issuance for localhost.

role_allows_glob_wildcards

Identifies roles allowing wildcard issuance with glob domains.

role_no_store_false

Checks if no_store is set to false, impacting performance.

audit_visibility

Ensures audit information is accessible to log consumers.

policy_allow_endpoints

Detects unsafe ACL policies allowing access to sensitive endpoints.

allow_if_modified_since

Checks if If-Modified-Since and Last-Modified headers are configured.

enable_auto_tidy

Ensures auto-tidy is enabled with recommended defaults.

tidy_last_run

Checks if the tidy operation has run within the expected timeframe.