Virtual HSM
Home
  • Virtual HSM
  • Documentation
    • What is Virtual HSM?
    • Use Case: Attested Secret Provisioning in the Cloud
    • Setup
      • Install
      • vHSM Server Configuration
        • Parameters
        • vHSM Telemetry Parameters
      • vHSM Agent
        • Agent Configuration
      • vHSM Proxy
        • Proxy Configuration
    • Get Started
      • Start the Vault server
      • MariaDB root admin password provisioning on Azure DCXas_v5 VM
    • Supported Cloud Configurations
  • Tutorials
    • Deploying the vhsm Container on an EC2 Instance
    • CLI quickstart
    • vHSM Agent quickstart
    • vHSM Proxy quickstart
    • Passing vHSM secrets using ConfigMaps
    • Provisioning MariaDB Password on Azure DCXas_v5 VM
    • Registering a buckypaper plugin
    • Monitoring vHSM with Grafana
  • Integration with Utimaco SecurityServer
    • Integrate enclaive vHSM with Utimaco HSM
  • API
    • Auth
    • Default
    • Secrets
    • System
    • Identity
    • Models
  • vHSM CLI
    • Server and Infrastructure Management
      • vhsm server
      • vhsm proxy
      • vhsm monitor
      • vhsm status
      • vhsm agent
    • Secret Management
      • vhsm read
      • vhsm write
      • vhsm delete
      • vhsm list
      • vhsm secrets
        • vhsm secrets enable
        • vhsm secrets disable
        • vhsm secrets list
        • vhsm secrets move
        • vhsm secrets tune
      • vhsm unwrap
    • Configuration and Management
      • vhsm plugin
        • vhsm plugin info
        • vhsm plugin deregister
        • vhsm plugin list
        • vhsm plugin register
        • vhsm plugin reload
        • vhsm plugin reload-status
      • vhsm namespace
      • vhsm operator
      • vhsm print
      • vhsm path-help
      • vhsm lease
    • Auditing and Debugging
      • vhsm audit
      • vhsm debug
    • Attestation
    • Security and Encryption
      • vhsm pki
        • vhsm pki health-check
        • vhsm pki issue
        • vhsm pki list-intermediates
        • vhsm pki reissue
        • vhsm pki verify-sign
      • vhsm transit
      • vhsm ssh
      • vhsm transform
    • Authentication and Authorization
      • vhsm login
      • vhsm auth
      • vhsm token
      • vhsm policy
    • Storage and Data Mangement
      • vhsm kv
      • vhsm patch
    • vhsm version
      • vhsm version-history
  • Troubleshooting
    • CA Validity Period
    • CRL Validity Period
    • Root Certificate Issued Non-CA Leaves
    • Role Allows Implicit Localhost Issuance
    • Role Allows Glob-Based Wildcard Issuance
    • Performance Impact
    • Accessibility of Audit Information
    • Allow If-Modified-Since Requests
    • Auto-Tidy Disabled
    • Tidy Hasn't Run
    • Too Many Certificates
    • Enable ACME Issuance
    • ACME Response Headers Configuration
  • Resources
    • Community
    • GitHub
    • Youtube
    • CCx101 wiki
Powered by GitBook
On this page
  • Usage
  • Flags
  • Options
  • Required API Access
  • Example

Was this helpful?

  1. vHSM CLI
  2. Security and Encryption
  3. vhsm pki

vhsm pki issue

Learn to create an intermediate certificate authority (CA) certificate.

The vhsm pki issue command creates an intermediate certificate authority (CA) certificate signed by the <parent> CA and stores it in the <child_mount>. The available options define the fields of the newly created certificate.

Usage

vhsm pki issue [flags] <parent> <child_mount> [options]
  • <parent>: The fully qualified path of the Certificate Authority (CA) in vHSM that will issue the new intermediate certificate.

  • <child_mount>: The path of the mount in vHSM where the new issuer will be stored.

  • [flags]: Optional arguments described below.

  • [options]: A set of key=value options that control certificate generation. These options correspond to parameters used in generate-intermediate-csr and sign-intermediate. At least one option must be provided.

Flags

Flag
Default
Description

-type

"internal"

Determines the key type for the newly created certificate. Possible values: "existing" (link to an existing key in the vHSM backend, requires key_ref), "internal" (generate a new key), or "kms" (use an external key). Exported keys are not available through this API.

-issuer_name

"" (empty)

Specifies a name for the newly created issuer.

Options

In addition to -type, this command accepts all options supported by the Generate CSR and Sign Intermediate API endpoints. These options define the properties of the issued certificate.

Required API Access

To execute this command, the vHSM user must have permissions for the following API endpoints:

API Endpoint
Purpose

READ /:parent

Validates the parent certificate.

WRITE /:child_mount/intermediate/generate/:type

Generates the Certificate Signing Request (CSR).

WRITE /:parent/sign-intermediate

Signs the CSR.

WRITE /:child_mount/issuers/import/cert

Imports the new issuer and issuer chain.

UPDATE /:child_mount/issuer/:issuer_refs

Assigns a name to the new issuer and sets its parent in the issuer chain.

READ /:child_mount/issuer/:new_issuer_ref

Verifies completion and generates the output.

Example

vhsm pki issue -issuer_name="FirstDepartment" /pki_root/issuer/default /pki_int/ common_name="first-department.example.com"

Output

Key                               Value
---                               -----
ca_chain                          [-----BEGIN CERTIFICATE-----
MIIDsDCCApigAwIBAgIULEPuHTW7UDtAQg+qcc18osNWgZIwDQYJKoZIhvcNAQEL...
Previousvhsm pki health-checkNextvhsm pki list-intermediates

Last updated 2 months ago

Was this helpful?