vhsm pki health-check

Learn to verify the health of a specific PKI secrets engine

Verifies the health of the given PKI secrets engine mount against an optional configuration. Mounts should be specified with any namespaces prefixed in the path, for example, ns1/pki.

Options

Option
Description

-default-disabled

Disables all health checks by default unless explicitly enabled by the configuration file. Default is false.

-health-config=<path>

Path to a JSON configuration file to modify health check execution and parameters.

-list

Displays the list of health checks and known configuration values without running them. Requires a positional mount argument. Default is false.

-return-indicator=<value>

Determines the exit code behavior: permission, critical, warning, informational, or default. Default is default.

Exit Codes

Code
Meaning

0

Everything is good.

1

Usage error (invalid CLI parameters).

2

Informational message from a health check.

3

Warning message from a health check.

4

Critical message from a health check.

5

Version mismatch between health check and vHSM Server.

6

Permission denied from vHSM Server.

Health Checks

Name
Description

Checks if CA certificates are expiring soon.

Verifies if CRLs are close to expiration.

Ensures leaf certificates are issued from intermediate CAs, not directly from root.

Detects roles that allow issuance for localhost.

Identifies roles allowing wildcard issuance with glob domains.

Checks if no_store is set to false, impacting performance.

Ensures audit information is accessible to log consumers.

Checks if If-Modified-Since and Last-Modified headers are configured.

Ensures auto-tidy is enabled with recommended defaults.

Checks if the tidy operation has run within the expected timeframe.

too_many_certs

Ensures ACME is enabled on mounts with an intermediary issuer to support automated certificate issuance and rotation.

Verifies that required ACME protocol headers (Replay-Nonce, Link, Location) are properly configured on the mount.

Example

Example 1: Perform a basic health check

vhsm pki health-check pki-root/

Example 2: Specify a configuration file

vhsm pki health-check -health-config=mycorp-root.json pki-root/

Example 3: List available health checks

vhsm pki health-check -list pki-root/

Additional Information

For more information about the neccesary actions that you need to perform based on the status of the health check, see Recommended Actions.

Last updated

Was this helpful?