pki

The pki command groups subcommands for interacting with Vault's PKI Secrets Engine.

Syntax

Option flags for a given subcommand are provided after the subcommand, but before the arguments.

Example Health Check

To health check a mount, use the vault pki health-check <mount> command:

$ vault pki health-check pki
ca_validity_period
------------------
status    endpoint                                            message
------    --------                                            -------
ok        /pki/issuer/da41ffb1-cc6d-5a5c-f147-e4d7beeb1b73    Issuer's validity (2032-12-17) is OK

... more output elided ...

Example Verify Sign

To verify the signature between two issuer certificates, use the vault pki verify-sign <parent> <child> command:

$ vault pki verify-sign pki_root/issuer/root pki_int/issuer/FirstDepartment
issuer:pki_root/issuer/root
issued:pki_int/issuer/FirstDepartment

field              value
-----              -----
subject_match      true
path_match         true
trust_match        true
key_id_match       true
signature_match    true

Example List Child Issuers

To list intermediate certificates potentially issued by a certificate inside vault, use the vault pki list-intermediates <parent> command:

$ vault pki list-intermediates /pki_root/issuer/default
intermediate                                             match?
------------                                             ------
pki_int_2/issuer/d4404ccc-3ad4-83a9-f5df-398637654b3b    true
pki_int_2/issuer/db0b0a6c-6641-ac15-363a-4e5261315581    true
pki_root/issuer/9464c4fe-e8a6-d96a-0566-021575e7382c     true
pki_int/issuer/2f958ec5-1838-336e-331b-07032379b958      true
pki_int/issuer/b8cc0b41-e0e9-1a92-12c4-6849c9d6f837      true

Example Issue

To issue a new issuer certificate, use the vault pki issue <parent-certificate-path> <mount> command:

$ vault pki issue -issuer_name="FirstDepartment" /pki_root/issuer/default /pki_int/ common_name="first-department.example.com"
Key                               Value
---                               -----
ca_chain                          [-----BEGIN CERTIFICATE-----
MIIDsDCCApigAwIBAgIULEPuHTW7UDtAQg+qcc18osNWgZIwDQYJKoZIhvcNAQEL...

Example Reissue

To reissue an issuer certificate, using the same fields as an existing issuer template, use the vault pki reissue <parent-certificate-path> <template> <mount> command:

$ vault pki reissue -issuer_name="SecondDepartment" /pki_root/issuer/default /pki_int/issuer/FirstDepartment /pki_int_2/ common_name="second-department.example.com"
Key                               Value
---                               -----
ca_chain                          [-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIUdfRe05B5eRXsg3pvsJ/g94eYuWkwDQYJKoZIhvcNAQEL```