Vault
pki issue
This command creates a intermediate certificate authority certificate signed by
the <parent>
in the <child_mount>
, using the options to determine the fields
on that certificate.
Usage
Usage: vault pki issue [flags] <parent> <child_mount> [options]
[flags]
are optional arguments described below<parent>
is the fully qualified path of the Certificate Authority in vault which will issue the new intermediate certificate.<child_mount>
is the path of the mount in vault where the new issuer is saved.[options]
are the superset of the k=v options passed to generate-intermediate-csr and sign-intermediate commands. At least one option must be set. See below.
Flags
-type
(string: "internal")
- This determines the type of key use for the newly created certificate. Valid types are"existing"
- where we link to a key already present in the vault-backend to be used (and expect option arguments"key_ref"
) -"internal"
- to generate a new key for this certificate - or"kms"
- to link to an external key. Exported keys are not available through this API.-issuer_name
(string: "")
- If present, the newly created issuer will be given this name.
Options
Other than type
(which is passed as a flag, see above), this command accepts
all options provided to the
Generate CSR and
Sign Intermediate endpoints.
Accessed APIs
Note that the vault user running this command will need to have access to the following API endpoints, each representing a step in the process:
READ /:parent
- used to check validityWRITE /:child_mount/intermediate/generate/:type
- used to generate the csrWRITE /:parent/sign-intermediate
- used to sign the csrWRITE /:child_mount/issuers/import/cert
- used to import the new issuer, and the issuer chainUPDATE /:child_mount/issuer/:issuer_refs
- used to both name the new issuer, and also set the name of the parent in the issuer chainREAD /:child_mount/issuer/:new_issuer_ref
- used to verify completion, generate the output
Examples
$ vault pki issue -issuer_name="FirstDepartment" /pki_root/issuer/default /pki_int/ common_name="first-department.example.com"
Key Value
--- -----
ca_chain [-----BEGIN CERTIFICATE-----
MIIDsDCCApigAwIBAgIULEPuHTW7UDtAQg+qcc18osNWgZIwDQYJKoZIhvcNAQEL...