HashiConf More sessions have been added to the conference agenda. Buy your pass and plan your schedule. Register
Vault
Vault Home

pki verify-sign

[!IMPORTANT]
Documentation Update: Product documentation, which were located in this repository under /website, are now located in hashicorp/web-unified-docs, colocated with all other product documentation. Contributions to this content should be done in the web-unified-docs repo, and not this one. Changes made to /website content in this repo will not be reflected on the developer.hashicorp.com website.

This command verifies whether the listed issuer has signed the listed issued certificate.

This command returns five fields of information:

  • signature_match: was the key of the issuer used to sign the issued.

  • path_match: the possible issuer appears in the valid certificate chain of the issued.

  • key_id_match: does the key id of the issuer match the key_id of the subject.

  • subject_match: does the subject name of the issuer match the issuer subject of the issued.

  • trust_match: if someone trusted the parent issuer, is the chain provided sufficient to trust the child issued.

Usage

Usage: vault pki verify-sign <parent> <child>

  • <parent> is the fully name-spaced path to the issuer certificate which will be used to verify the <child> certificate

  • <child> is the fully name-spaced path to the potential child-certificate to be verified

A fully namespaced path looks like, for instance, 'ns1/mount1/issuer/issuerName/json'.

Example

$ vault pki verify-sign pki_root/issuer/root pki_int/issuer/FirstDepartment
issuer:pki_root/issuer/root
issued:pki_int/issuer/FirstDepartment

field              value
-----              -----
subject_match      true
path_match         true
trust_match        true
key_id_match       true
signature_match    true
Edit this page on GitHub