Skip to main content

pki issue

This command creates a intermediate certificate authority certificate signed by the <parent> in the <child_mount>, using the options to determine the fields on that certificate.

Usage

Usage: bao pki issue [flags] <parent> <child_mount> [options]

  • [flags] are optional arguments described below

  • <parent> is the fully qualified path of the Certificate Authority in OpenBao which will issue the new intermediate certificate.

  • <child_mount> is the path of the mount in OpenBao where the new issuer is saved.

  • [options] are the superset of the k=v options passed to generate-intermediate-csr and sign-intermediate commands. At least one option must be set. See below.

Flags

  • -type (string: "internal") - This determines the type of key use for the newly created certificate. Valid types are "existing" - where we link to a key already present in the OpenBao-backend to be used (and expect option arguments "key_ref") - "internal" - to generate a new key for this certificate - or "kms" - to link to an external key. Exported keys are not available through this API.

  • -issuer_name (string: "") - If present, the newly created issuer will be given this name.

Options

Other than type (which is passed as a flag, see above), this command accepts all options provided to the Generate CSR and Sign Intermediate endpoints.

Accessed APIs

Note that the openbao user running this command will need to have access to the following API endpoints, each representing a step in the process:

  • READ /:parent - used to check validity
  • WRITE /:child_mount/intermediate/generate/:type - used to generate the csr
  • WRITE /:parent/sign-intermediate - used to sign the csr
  • WRITE /:child_mount/issuers/import/cert - used to import the new issuer, and the issuer chain
  • UPDATE /:child_mount/issuer/:issuer_refs - used to both name the new issuer, and also set the name of the parent in the issuer chain
  • READ /:child_mount/issuer/:new_issuer_ref - used to verify completion, generate the output

Examples

$ bao pki issue -issuer_name="FirstDepartment" /pki_root/issuer/default /pki_int/ common_name="first-department.example.com"
Key                               Value
---                               -----
ca_chain                          [-----BEGIN CERTIFICATE-----
MIIDsDCCApigAwIBAgIULEPuHTW7UDtAQg+qcc18osNWgZIwDQYJKoZIhvcNAQEL...