vhsm pki health-check

-default-disabled

Disables all health checks by default unless explicitly enabled by the configuration file. Default is false.

-health-config=<path>

Path to a JSON configuration file to modify health check execution and parameters.

-list

Displays the list of health checks and known configuration values without running them. Requires a positional mount argument. Default is false.

-return-indicator=<value>

Determines the exit code behavior: permission, critical, warning, informational, or default. Default is default.

0

Everything is good.

1

Usage error (invalid CLI parameters).

2

Informational message from a health check.

3

Warning message from a health check.

4

Critical message from a health check.

5

Version mismatch between health check and vHSM Server.

6

Permission denied from vHSM Server.

Checks if CA certificates are expiring soon.

Verifies if CRLs are close to expiration.

Ensures leaf certificates are issued from intermediate CAs, not directly from root.

Detects roles that allow issuance for localhost.

Identifies roles allowing wildcard issuance with glob domains.

Checks if no_store is set to false, impacting performance.

Ensures audit information is accessible to log consumers.

Checks if If-Modified-Since and Last-Modified headers are configured.

Ensures auto-tidy is enabled with recommended defaults.

Checks if the tidy operation has run within the expected timeframe.

too_many_certs

Ensures ACME is enabled on mounts with an intermediary issuer to support automated certificate issuance and rotation.

Verifies that required ACME protocol headers (Replay-Nonce, Link, Location) are properly configured on the mount.