Virtual HSM
Home
  • Virtual HSM
  • Documentation
    • What is Virtual HSM?
    • Use Case: Attested Secret Provisioning in the Cloud
    • Setup
      • Install
      • vHSM Server Configuration
        • Parameters
        • vHSM Telemetry Parameters
      • vHSM Agent
        • Agent Configuration
      • vHSM Proxy
        • Proxy Configuration
    • Get Started
      • Start the Vault server
      • MariaDB root admin password provisioning on Azure DCXas_v5 VM
    • Supported Cloud Configurations
  • Tutorials
    • Deploying the vhsm Container on an EC2 Instance
    • CLI quickstart
    • vHSM Agent quickstart
    • vHSM Proxy quickstart
    • Passing vHSM secrets using ConfigMaps
    • Provisioning MariaDB Password on Azure DCXas_v5 VM
    • Registering a buckypaper plugin
    • Monitoring vHSM with Grafana
  • Integration with Utimaco SecurityServer
    • Integrate enclaive vHSM with Utimaco HSM
  • API
    • Auth
    • Default
    • Secrets
    • System
    • Identity
    • Models
  • vHSM CLI
    • Server and Infrastructure Management
      • vhsm server
      • vhsm proxy
      • vhsm monitor
      • vhsm status
      • vhsm agent
    • Secret Management
      • vhsm read
      • vhsm write
      • vhsm delete
      • vhsm list
      • vhsm secrets
        • vhsm secrets enable
        • vhsm secrets disable
        • vhsm secrets list
        • vhsm secrets move
        • vhsm secrets tune
      • vhsm unwrap
    • Configuration and Management
      • vhsm plugin
        • vhsm plugin info
        • vhsm plugin deregister
        • vhsm plugin list
        • vhsm plugin register
        • vhsm plugin reload
        • vhsm plugin reload-status
      • vhsm namespace
      • vhsm operator
      • vhsm print
      • vhsm path-help
      • vhsm lease
    • Auditing and Debugging
      • vhsm audit
      • vhsm debug
    • Attestation
    • Security and Encryption
      • vhsm pki
        • vhsm pki health-check
        • vhsm pki issue
        • vhsm pki list-intermediates
        • vhsm pki reissue
        • vhsm pki verify-sign
      • vhsm transit
      • vhsm ssh
      • vhsm transform
    • Authentication and Authorization
      • vhsm login
      • vhsm auth
      • vhsm token
      • vhsm policy
    • Storage and Data Mangement
      • vhsm kv
      • vhsm patch
    • vhsm version
      • vhsm version-history
  • Troubleshooting
    • CA Validity Period
    • CRL Validity Period
    • Root Certificate Issued Non-CA Leaves
    • Role Allows Implicit Localhost Issuance
    • Role Allows Glob-Based Wildcard Issuance
    • Performance Impact
    • Accessibility of Audit Information
    • Allow If-Modified-Since Requests
    • Auto-Tidy Disabled
    • Tidy Hasn't Run
    • Too Many Certificates
    • Enable ACME Issuance
    • ACME Response Headers Configuration
  • Resources
    • Community
    • GitHub
    • Youtube
    • CCx101 wiki
Powered by GitBook
On this page
  • Usage
  • Flags
  • Options
  • Required API Access
  • Example

Was this helpful?

  1. vHSM CLI
  2. Security and Encryption
  3. vhsm pki

vhsm pki reissue

Learn to reissue a Certificate Authority (CA) certificate using an existing issuer as a template.

The vhsm pki reissue command allows reissuing a Certificate Authority (CA) certificate using an existing issuer as a template. This simplifies the process by pre-populating certificate fields from a specified template while allowing modifications as needed.

Usage

vhsm pki reissue [flags] <parent> <template> <child_mount> [options]
  • <parent>: The fully qualified path of the CA in vHSM that will issue the new intermediate certificate.

  • <template>: The fully qualified path of an intermediate certificate in vHSM that serves as a template for the new certificate. Fields not overridden by [options] will be copied from this template.

    Note: Not all certificate fields are supported by vHSM. If an external CA was imported into vHSM, some fields may not be retained, and no warning will be provided.

  • <child_mount>: The vHSM mount path where the new issuer will be stored.

  • [flags]: Optional arguments described below.

  • [options]: A set of key=value options that define certificate attributes. These options correspond to those used in generate-intermediate-csr and sign-intermediate.

Upon successful execution, this command outputs the details of the newly created issuer.

Flags

Flag
Default
Description

-type

"internal"

Specifies the key type for the new certificate. Possible values: "existing" (link to an existing key in the vHSM backend), "internal" (generate a new key), or "kms" (use an external key). Exported keys are not available via this API.

-issuer_name

"" (empty)

Assigns a name to the newly created issuer.

Note: When using an existing key (-type=existing), the key material must exist in the same mount where the new certificate is being created. If the template resides on a different mount and no key_ref is provided for a key in the new issuer’s mount, the command will fail.

Options

In addition to -type, this command accepts all options supported by the Generate CSR and Sign Intermediate API endpoints. These options define the certificate’s attributes.

Required API Access

To execute this command, the vHSM user must have permissions for the following API endpoints:

API Endpoint
Purpose

READ /:parent

Validates the parent certificate.

READ /:template

Extracts template values for the new certificate.

WRITE /:child_mount/intermediate/generate/:type

Generates the Certificate Signing Request (CSR).

WRITE /:parent/sign-intermediate

Signs the CSR.

WRITE /:child_mount/issuers/import/cert

Imports the new issuer and issuer chain.

UPDATE /:child_mount/issuer/:issuer_refs

Assigns a name to the new issuer and links the parent in the issuer chain.

READ /:child_mount/issuer/:new_issuer_ref

Verifies completion and generates the output.

Example

vhsm pki reissue -issuer_name="SecondDepartment" /pki_root/issuer/default /pki_int/issuer/FirstDepartment /pki_int_2/ common_name="second-department.example.com"

Output

Key                               Value
---                               -----
ca_chain                          [-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIUdfRe05B5eRXsg3pvsJ/g94eYuWkwDQYJKoZIhvcNAQEL...
Previousvhsm pki list-intermediatesNextvhsm pki verify-sign

Last updated 2 months ago

Was this helpful?