HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

pki verify-sign

This command verifies whether the listed issuer has signed the listed issued certificate.

This command returns five fields of information:

  • signature_match: was the key of the issuer used to sign the issued.

  • path_match: the possible issuer appears in the valid certificate chain of the issued.

  • key_id_match: does the key id of the issuer match the key_id of the subject.

  • subject_match: does the subject name of the issuer match the issuer subject of the issued.

  • trust_match: if someone trusted the parent issuer, is the chain provided sufficient to trust the child issued.

Usage

Usage: vault pki verify-sign <parent> <child>

  • <parent> is the fully name-spaced path to the issuer certificate which will be used to verify the <child> certificate

  • <child> is the fully name-spaced path to the potential child-certificate to be verified

A fully namespaced path looks like, for instance, 'ns1/mount1/issuer/issuerName/json'.

Example

$ vault pki verify-sign pki_root/issuer/root pki_int/issuer/FirstDepartment
issuer:pki_root/issuer/root
issued:pki_int/issuer/FirstDepartment

field              value
-----              -----
subject_match      true
path_match         true
trust_match        true
key_id_match       true
signature_match    true
Edit this page on GitHub