vhsm pki issue

Learn to create an intermediate certificate authority (CA) certificate.

The vhsm pki issue command creates an intermediate certificate authority (CA) certificate signed by the <parent> CA and stores it in the <child_mount>. The available options define the fields of the newly created certificate.

Usage

vhsm pki issue [flags] <parent> <child_mount> [options]
  • <parent>: The fully qualified path of the Certificate Authority (CA) in vHSM that will issue the new intermediate certificate.

  • <child_mount>: The path of the mount in vHSM where the new issuer will be stored.

  • [flags]: Optional arguments described below.

  • [options]: A set of key=value options that control certificate generation. These options correspond to parameters used in generate-intermediate-csr and sign-intermediate. At least one option must be provided.

Flags

Flag
Default
Description

-type

"internal"

Determines the key type for the newly created certificate. Possible values: "existing" (link to an existing key in the vHSM backend, requires key_ref), "internal" (generate a new key), or "kms" (use an external key). Exported keys are not available through this API.

-issuer_name

"" (empty)

Specifies a name for the newly created issuer.

Options

In addition to -type, this command accepts all options supported by the Generate CSR and Sign Intermediate API endpoints. These options define the properties of the issued certificate.

Required API Access

To execute this command, the vHSM user must have permissions for the following API endpoints:

API Endpoint
Purpose

READ /:parent

Validates the parent certificate.

WRITE /:child_mount/intermediate/generate/:type

Generates the Certificate Signing Request (CSR).

WRITE /:parent/sign-intermediate

Signs the CSR.

WRITE /:child_mount/issuers/import/cert

Imports the new issuer and issuer chain.

UPDATE /:child_mount/issuer/:issuer_refs

Assigns a name to the new issuer and sets its parent in the issuer chain.

READ /:child_mount/issuer/:new_issuer_ref

Verifies completion and generates the output.

Example

vhsm pki issue -issuer_name="FirstDepartment" /pki_root/issuer/default /pki_int/ common_name="first-department.example.com"

Output

Key                               Value
---                               -----
ca_chain                          [-----BEGIN CERTIFICATE-----
MIIDsDCCApigAwIBAgIULEPuHTW7UDtAQg+qcc18osNWgZIwDQYJKoZIhvcNAQEL...

Last updated

Was this helpful?