pki
The pki
command groups subcommands for interacting with OpenBao's
PKI Secrets Engine.
Syntax
Option flags for a given subcommand are provided after the subcommand, but before the arguments.
Example health check
To health check a mount, use the
bao pki health-check <mount>
command:
$ bao pki health-check pki
ca_validity_period
------------------
status endpoint message
------ -------- -------
ok /pki/issuer/da41ffb1-cc6d-5a5c-f147-e4d7beeb1b73 Issuer's validity (2032-12-17) is OK
... more output elided ...
Example verify sign
To verify the signature between two
issuer certificates, use the bao pki verify-sign <parent> <child>
command:
$ bao pki verify-sign pki_root/issuer/root pki_int/issuer/FirstDepartment
issuer:pki_root/issuer/root
issued:pki_int/issuer/FirstDepartment
field value
----- -----
subject_match true
path_match true
trust_match true
key_id_match true
signature_match true
Example list child issuers
To list intermediate certificates
potentially issued by a certificate inside OpenBao, use the
bao pki list-intermediates <parent>
command:
$ bao pki list-intermediates /pki_root/issuer/default
intermediate match?
------------ ------
pki_int_2/issuer/d4404ccc-3ad4-83a9-f5df-398637654b3b true
pki_int_2/issuer/db0b0a6c-6641-ac15-363a-4e5261315581 true
pki_root/issuer/9464c4fe-e8a6-d96a-0566-021575e7382c true
pki_int/issuer/2f958ec5-1838-336e-331b-07032379b958 true
pki_int/issuer/b8cc0b41-e0e9-1a92-12c4-6849c9d6f837 true
Example issue
To issue a new issuer certificate, use the
bao pki issue <parent-certificate-path> <mount>
command:
$ bao pki issue -issuer_name="FirstDepartment" /pki_root/issuer/default /pki_int/ common_name="first-department.example.com"
Key Value
--- -----
ca_chain [-----BEGIN CERTIFICATE-----
MIIDsDCCApigAwIBAgIULEPuHTW7UDtAQg+qcc18osNWgZIwDQYJKoZIhvcNAQEL...
Example reissue
To reissue an issuer certificate, using the
same fields as an existing issuer template, use the
bao pki reissue <parent-certificate-path> <template> <mount>
command:
$ bao pki reissue -issuer_name="SecondDepartment" /pki_root/issuer/default /pki_int/issuer/FirstDepartment /pki_int_2/ common_name="second-department.example.com"
Key Value
--- -----
ca_chain [-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIUdfRe05B5eRXsg3pvsJ/g94eYuWkwDQYJKoZIhvcNAQEL```