Home

vhsm pki list-intermediates

Learn how to determine which certificates were issued by a parent certificate.

The pki list-intermediates command determines which certificates from a given list were issued by a specified parent certificate.

Usage

vhsm pki list-intermediates [flags] <parent> [child] [child] [child...]

  • <parent>: The certificate used as the issuer against which everything is verified.

  • [child] (optional): A path to a certificate to be compared to <parent>, or PKI mounts to search for certificates. If omitted, all accessible PKI mounts are used to construct the list.

This command returns a list of issuing certificates and whether they match the parent based on predefined criteria. By default, the match is determined by subject name, authority key ID, subject key ID, and the ability of the parent to have directly signed the issuer.

Flags

The following flags control the match criteria and output format:

Output Formatting

Flag
Default
Description

-use_names

false

Determines how issuers are referred to in the output: by issuer_id (default) or by their name/status as the default issuer (if true).

Match Criteria

Flag
Default
Description

-subject_match

true

Requires the subject of the parent issuer to match the issuer of the potential child.

-key_id_match

true

Requires the key ID of the parent issuer to match the key ID of the potential child.

-direct_verify

true

Requires that a trust relationship exists between the parent and child certificates without additional information.

-indirect_sign

true

Requires that if the parent is trusted, the child certificate must also be trusted using available certificate chains.

-path_contains

false

Requires the CA chain of the child certificate to contain the parent certificate for a match.

Required API Access

To run this command, the vHSM user must have access to the following API endpoints:

API Endpoint
Purpose

READ /:parent

Reads the parent certificate for verification.

LIST /sys/mounts

Retrieves a list of PKI mounts if no [child] argument is provided.

LIST /:child_mount/issuers/

Finds PKI issuers on a mount when [child] is omitted or is a mount.

READ /:child

Reads each potential child issuer for comparison against the parent.

Example

vhsm pki list-intermediates /pki_root/issuer/default

Output

intermediate                                             match?
------------                                             ------
pki_int_2/issuer/d4404ccc-3ad4-83a9-f5df-398637654b3b    true
pki_int_2/issuer/db0b0a6c-6641-ac15-363a-4e5261315581    true
pki_root/issuer/9464c4fe-e8a6-d96a-0566-021575e7382c     true
pki_int/issuer/2f958ec5-1838-336e-331b-07032379b958      true
pki_int/issuer/b8cc0b41-e0e9-1a92-12c4-6849c9d6f837      true
Previousvhsm pki issueNextvhsm pki reissue

Last updated

Was this helpful?