vhsm pki reissue

Learn to reissue a Certificate Authority (CA) certificate using an existing issuer as a template.

The vhsm pki reissue command allows reissuing a Certificate Authority (CA) certificate using an existing issuer as a template. This simplifies the process by pre-populating certificate fields from a specified template while allowing modifications as needed.

Usage

vhsm pki reissue [flags] <parent> <template> <child_mount> [options]
  • <parent>: The fully qualified path of the CA in vHSM that will issue the new intermediate certificate.

  • <template>: The fully qualified path of an intermediate certificate in vHSM that serves as a template for the new certificate. Fields not overridden by [options] will be copied from this template.

    Note: Not all certificate fields are supported by vHSM. If an external CA was imported into vHSM, some fields may not be retained, and no warning will be provided.

  • <child_mount>: The vHSM mount path where the new issuer will be stored.

  • [flags]: Optional arguments described below.

  • [options]: A set of key=value options that define certificate attributes. These options correspond to those used in generate-intermediate-csr and sign-intermediate.

Upon successful execution, this command outputs the details of the newly created issuer.

Flags

Flag
Default
Description

-type

"internal"

Specifies the key type for the new certificate. Possible values: "existing" (link to an existing key in the vHSM backend), "internal" (generate a new key), or "kms" (use an external key). Exported keys are not available via this API.

-issuer_name

"" (empty)

Assigns a name to the newly created issuer.

Note: When using an existing key (-type=existing), the key material must exist in the same mount where the new certificate is being created. If the template resides on a different mount and no key_ref is provided for a key in the new issuer’s mount, the command will fail.

Options

In addition to -type, this command accepts all options supported by the Generate CSR and Sign Intermediate API endpoints. These options define the certificate’s attributes.

Required API Access

To execute this command, the vHSM user must have permissions for the following API endpoints:

API Endpoint
Purpose

READ /:parent

Validates the parent certificate.

READ /:template

Extracts template values for the new certificate.

WRITE /:child_mount/intermediate/generate/:type

Generates the Certificate Signing Request (CSR).

WRITE /:parent/sign-intermediate

Signs the CSR.

WRITE /:child_mount/issuers/import/cert

Imports the new issuer and issuer chain.

UPDATE /:child_mount/issuer/:issuer_refs

Assigns a name to the new issuer and links the parent in the issuer chain.

READ /:child_mount/issuer/:new_issuer_ref

Verifies completion and generates the output.

Example

vhsm pki reissue -issuer_name="SecondDepartment" /pki_root/issuer/default /pki_int/issuer/FirstDepartment /pki_int_2/ common_name="second-department.example.com"

Output

Key                               Value
---                               -----
ca_chain                          [-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIUdfRe05B5eRXsg3pvsJ/g94eYuWkwDQYJKoZIhvcNAQEL...

Last updated

Was this helpful?