Virtual HSM
Home
  • Virtual HSM
  • Documentation
    • What is Virtual HSM?
    • Use Case: Attested Secret Provisioning in the Cloud
    • Setup
      • Install
      • vHSM Server Configuration
        • Parameters
        • vHSM Telemetry Parameters
      • vHSM Agent
        • Agent Configuration
      • vHSM Proxy
        • Proxy Configuration
    • Get Started
      • Start the Vault server
      • MariaDB root admin password provisioning on Azure DCXas_v5 VM
    • Supported Cloud Configurations
  • Tutorials
    • Deploying the vhsm Container on an EC2 Instance
    • CLI quickstart
    • vHSM Agent quickstart
    • vHSM Proxy quickstart
    • Passing vHSM secrets using ConfigMaps
    • Provisioning MariaDB Password on Azure DCXas_v5 VM
    • Registering a buckypaper plugin
    • Monitoring vHSM with Grafana
  • Integration with Utimaco SecurityServer
    • Integrate enclaive vHSM with Utimaco HSM
  • API
    • Auth
    • Default
    • Secrets
    • System
    • Identity
    • Models
  • vHSM CLI
    • Server and Infrastructure Management
      • vhsm server
      • vhsm proxy
      • vhsm monitor
      • vhsm status
      • vhsm agent
    • Secret Management
      • vhsm read
      • vhsm write
      • vhsm delete
      • vhsm list
      • vhsm secrets
        • vhsm secrets enable
        • vhsm secrets disable
        • vhsm secrets list
        • vhsm secrets move
        • vhsm secrets tune
      • vhsm unwrap
    • Configuration and Management
      • vhsm plugin
        • vhsm plugin info
        • vhsm plugin deregister
        • vhsm plugin list
        • vhsm plugin register
        • vhsm plugin reload
        • vhsm plugin reload-status
      • vhsm namespace
      • vhsm operator
      • vhsm print
      • vhsm path-help
      • vhsm lease
    • Auditing and Debugging
      • vhsm audit
      • vhsm debug
    • Attestation
    • Security and Encryption
      • vhsm pki
        • vhsm pki health-check
        • vhsm pki issue
        • vhsm pki list-intermediates
        • vhsm pki reissue
        • vhsm pki verify-sign
      • vhsm transit
      • vhsm ssh
      • vhsm transform
    • Authentication and Authorization
      • vhsm login
      • vhsm auth
      • vhsm token
      • vhsm policy
    • Storage and Data Mangement
      • vhsm kv
      • vhsm patch
    • vhsm version
      • vhsm version-history
  • Troubleshooting
    • CA Validity Period
    • CRL Validity Period
    • Root Certificate Issued Non-CA Leaves
    • Role Allows Implicit Localhost Issuance
    • Role Allows Glob-Based Wildcard Issuance
    • Performance Impact
    • Accessibility of Audit Information
    • Allow If-Modified-Since Requests
    • Auto-Tidy Disabled
    • Tidy Hasn't Run
    • Too Many Certificates
    • Enable ACME Issuance
    • ACME Response Headers Configuration
  • Resources
    • Community
    • GitHub
    • Youtube
    • CCx101 wiki
Powered by GitBook
On this page
  • Usage
  • Flags
  • Required API Access
  • Example

Was this helpful?

  1. vHSM CLI
  2. Security and Encryption
  3. vhsm pki

vhsm pki list-intermediates

Learn how to determine which certificates were issued by a parent certificate.

The pki list-intermediates command determines which certificates from a given list were issued by a specified parent certificate.

Usage

vhsm pki list-intermediates [flags] <parent> [child] [child] [child...]
  • <parent>: The certificate used as the issuer against which everything is verified.

  • [child] (optional): A path to a certificate to be compared to <parent>, or PKI mounts to search for certificates. If omitted, all accessible PKI mounts are used to construct the list.

This command returns a list of issuing certificates and whether they match the parent based on predefined criteria. By default, the match is determined by subject name, authority key ID, subject key ID, and the ability of the parent to have directly signed the issuer.

Flags

The following flags control the match criteria and output format:

Output Formatting

Flag
Default
Description

-use_names

false

Determines how issuers are referred to in the output: by issuer_id (default) or by their name/status as the default issuer (if true).

Match Criteria

Flag
Default
Description

-subject_match

true

Requires the subject of the parent issuer to match the issuer of the potential child.

-key_id_match

true

Requires the key ID of the parent issuer to match the key ID of the potential child.

-direct_verify

true

Requires that a trust relationship exists between the parent and child certificates without additional information.

-indirect_sign

true

Requires that if the parent is trusted, the child certificate must also be trusted using available certificate chains.

-path_contains

false

Requires the CA chain of the child certificate to contain the parent certificate for a match.

Required API Access

To run this command, the vHSM user must have access to the following API endpoints:

API Endpoint
Purpose

READ /:parent

Reads the parent certificate for verification.

LIST /sys/mounts

Retrieves a list of PKI mounts if no [child] argument is provided.

LIST /:child_mount/issuers/

Finds PKI issuers on a mount when [child] is omitted or is a mount.

READ /:child

Reads each potential child issuer for comparison against the parent.

Example

vhsm pki list-intermediates /pki_root/issuer/default

Output

intermediate                                             match?
------------                                             ------
pki_int_2/issuer/d4404ccc-3ad4-83a9-f5df-398637654b3b    true
pki_int_2/issuer/db0b0a6c-6641-ac15-363a-4e5261315581    true
pki_root/issuer/9464c4fe-e8a6-d96a-0566-021575e7382c     true
pki_int/issuer/2f958ec5-1838-336e-331b-07032379b958      true
pki_int/issuer/b8cc0b41-e0e9-1a92-12c4-6849c9d6f837      true
Previousvhsm pki issueNextvhsm pki reissue

Last updated 2 months ago

Was this helpful?