vhsm pki list-intermediates
Learn how to determine which certificates were issued by a parent certificate.
The pki list-intermediates
command determines which certificates from a given list were issued by a specified parent certificate.
Usage
vhsm pki list-intermediates [flags] <parent> [child] [child] [child...]
<parent>
: The certificate used as the issuer against which everything is verified.[child]
(optional): A path to a certificate to be compared to<parent>
, or PKI mounts to search for certificates. If omitted, all accessible PKI mounts are used to construct the list.
This command returns a list of issuing certificates and whether they match the parent based on predefined criteria. By default, the match is determined by subject name, authority key ID, subject key ID, and the ability of the parent to have directly signed the issuer.
Flags
The following flags control the match criteria and output format:
Output Formatting
-use_names
false
Determines how issuers are referred to in the output: by issuer_id
(default) or by their name/status as the default issuer (if true
).
Match Criteria
-subject_match
true
Requires the subject of the parent issuer to match the issuer of the potential child.
-key_id_match
true
Requires the key ID of the parent issuer to match the key ID of the potential child.
-direct_verify
true
Requires that a trust relationship exists between the parent and child certificates without additional information.
-indirect_sign
true
Requires that if the parent is trusted, the child certificate must also be trusted using available certificate chains.
-path_contains
false
Requires the CA chain of the child certificate to contain the parent certificate for a match.
Required API Access
To run this command, the vHSM user must have access to the following API endpoints:
READ /:parent
Reads the parent certificate for verification.
LIST /sys/mounts
Retrieves a list of PKI mounts if no [child]
argument is provided.
LIST /:child_mount/issuers/
Finds PKI issuers on a mount when [child]
is omitted or is a mount.
READ /:child
Reads each potential child issuer for comparison against the parent.
Example
vhsm pki list-intermediates /pki_root/issuer/default
Output
intermediate match?
------------ ------
pki_int_2/issuer/d4404ccc-3ad4-83a9-f5df-398637654b3b true
pki_int_2/issuer/db0b0a6c-6641-ac15-363a-4e5261315581 true
pki_root/issuer/9464c4fe-e8a6-d96a-0566-021575e7382c true
pki_int/issuer/2f958ec5-1838-336e-331b-07032379b958 true
pki_int/issuer/b8cc0b41-e0e9-1a92-12c4-6849c9d6f837 true
Last updated
Was this helpful?