Virtual HSM
Home
  • Virtual HSM
  • Documentation
    • What is Virtual HSM?
    • Use Case: Attested Secret Provisioning in the Cloud
    • Setup
      • Install
      • vHSM Server Configuration
        • Parameters
        • vHSM Telemetry Parameters
      • vHSM Agent
        • Agent Configuration
      • vHSM Proxy
        • Proxy Configuration
    • Get Started
      • Start the Vault server
      • MariaDB root admin password provisioning on Azure DCXas_v5 VM
    • Supported Cloud Configurations
  • Tutorials
    • Deploying the vhsm Container on an EC2 Instance
    • CLI quickstart
    • vHSM Agent quickstart
    • vHSM Proxy quickstart
    • Passing vHSM secrets using ConfigMaps
    • Provisioning MariaDB Password on Azure DCXas_v5 VM
    • Registering a buckypaper plugin
    • Monitoring vHSM with Grafana
  • Integration with Utimaco SecurityServer
    • Integrate enclaive vHSM with Utimaco HSM
  • API
    • Auth
    • Default
    • Secrets
    • System
    • Identity
    • Models
  • vHSM CLI
    • Server and Infrastructure Management
      • vhsm server
      • vhsm proxy
      • vhsm monitor
      • vhsm status
      • vhsm agent
    • Secret Management
      • vhsm read
      • vhsm write
      • vhsm delete
      • vhsm list
      • vhsm secrets
        • vhsm secrets enable
        • vhsm secrets disable
        • vhsm secrets list
        • vhsm secrets move
        • vhsm secrets tune
      • vhsm unwrap
    • Configuration and Management
      • vhsm plugin
        • vhsm plugin info
        • vhsm plugin deregister
        • vhsm plugin list
        • vhsm plugin register
        • vhsm plugin reload
        • vhsm plugin reload-status
      • vhsm namespace
      • vhsm operator
      • vhsm print
      • vhsm path-help
      • vhsm lease
    • Auditing and Debugging
      • vhsm audit
      • vhsm debug
    • Attestation
    • Security and Encryption
      • vhsm pki
        • vhsm pki health-check
        • vhsm pki issue
        • vhsm pki list-intermediates
        • vhsm pki reissue
        • vhsm pki verify-sign
      • vhsm transit
      • vhsm ssh
      • vhsm transform
    • Authentication and Authorization
      • vhsm login
      • vhsm auth
      • vhsm token
      • vhsm policy
    • Storage and Data Mangement
      • vhsm kv
      • vhsm patch
    • vhsm version
      • vhsm version-history
  • Troubleshooting
    • CA Validity Period
    • CRL Validity Period
    • Root Certificate Issued Non-CA Leaves
    • Role Allows Implicit Localhost Issuance
    • Role Allows Glob-Based Wildcard Issuance
    • Performance Impact
    • Accessibility of Audit Information
    • Allow If-Modified-Since Requests
    • Auto-Tidy Disabled
    • Tidy Hasn't Run
    • Too Many Certificates
    • Enable ACME Issuance
    • ACME Response Headers Configuration
  • Resources
    • Community
    • GitHub
    • Youtube
    • CCx101 wiki
Powered by GitBook
On this page
  • Options
  • Exit Codes
  • Health Checks
  • Example

Was this helpful?

  1. vHSM CLI
  2. Security and Encryption
  3. vhsm pki

vhsm pki health-check

Learn to verify the health of a specific PKI secrets engine

Verifies the health of the given PKI secrets engine mount against an optional configuration. Mounts should be specified with any namespaces prefixed in the path, for example, ns1/pki.

Options

Option
Description

-default-disabled

Disables all health checks by default unless explicitly enabled by the configuration file. Default is false.

-health-config=<path>

Path to a JSON configuration file to modify health check execution and parameters.

-list

Displays the list of health checks and known configuration values without running them. Requires a positional mount argument. Default is false.

-return-indicator=<value>

Determines the exit code behavior: permission, critical, warning, informational, or default. Default is default.

Exit Codes

Code
Meaning

0

Everything is good.

1

Usage error (invalid CLI parameters).

2

Informational message from a health check.

3

Warning message from a health check.

4

Critical message from a health check.

5

Version mismatch between health check and vHSM Server.

6

Permission denied from vHSM Server.

Health Checks

Name
Description

Checks if CA certificates are expiring soon.

Verifies if CRLs are close to expiration.

Ensures leaf certificates are issued from intermediate CAs, not directly from root.

Detects roles that allow issuance for localhost.

Identifies roles allowing wildcard issuance with glob domains.

Checks if no_store is set to false, impacting performance.

Ensures audit information is accessible to log consumers.

Checks if If-Modified-Since and Last-Modified headers are configured.

Ensures auto-tidy is enabled with recommended defaults.

Checks if the tidy operation has run within the expected timeframe.

too_many_certs

Ensures ACME is enabled on mounts with an intermediary issuer to support automated certificate issuance and rotation.

Verifies that required ACME protocol headers (Replay-Nonce, Link, Location) are properly configured on the mount.

Example

Example 1: Perform a basic health check

vhsm pki health-check pki-root/

Example 2: Specify a configuration file

vhsm pki health-check -health-config=mycorp-root.json pki-root/

Example 3: List available health checks

vhsm pki health-check -list pki-root/

Additional Information

Previousvhsm pkiNextvhsm pki issue

Last updated 2 months ago

Was this helpful?

For more information about the neccesary actions that you need to perform based on the status of the health check, see .

Recommended Actions
ca_validity_period
crl_validity_period
root_issued_leaves
role_allows_localhost
role_allows_glob_wildcards
role_no_store_false
audit_visibility
allow_if_modified_since
enable_auto_tidy
tidy_last_run
too_many_certs
enable_acme_issuance
allow_acme_headers