Skip to main content

pki reissue

Frequently, a reissued CA certificate is to be very similar to another. This command enables reissuing a CA, using an existing issuer within OpenBao as a template, but allowing modifications to the desired attributes.

Usage

Usage: bao pki reissue [flags] <parent> <template> <child_mount> [options]

  • [flags] are optional arguments described below.

  • <parent> is the fully qualified path of the Certificate Authority in OpenBao which will issue the new intermediate certificate.

  • <template> is the fully qualified path of an intermediate certificate in OpenBao which will be used to populate certificate fields not overridden by [options].

warning

Note: not all possible certificate fields are supported by OpenBao, and this template reader covers only those OpenBao generates as a best effort. If unknown fields are set, such as when an external CA was imported into OpenBao, there may not be a warning that those are missing from the new issuer.

  • <child_mount> is the path of the mount in OpenBao where the new issuer is saved.

  • [options] are the superset of the k=v options passed to generate/intermediate and sign-intermediate commands. See below.

The output of this command when it is successful is to read the resulting new issuer entry.

Flags

  • -type (string: "internal") - This determines the type of key use for the newly created certificate. Valid types are "existing" - where we link to a key already present in the OpenBao-backend to be used - "internal" - to generate a new key for this certificate - or "kms" - to link to an external key. Exported keys are not available through this API.
warning

Note: It is only possible to generate a new certificate with an existing key that exists in the same mount where that key-material exists. This command is expected to fail should the template exist on a different mount, existing is the selected type, and no key_ref for a key in the new issuer mount is provided.

  • -issuer_name (string: "") - If present, the newly created issuer will be given this name.

Options

Other than type (which is passed as a flag, see above), this command accepts all options provided to the Generate CSR and Sign Intermediate endpoints.

Accessed APIs

Note that the OpenBao user running this command will need to have access to the following API endpoints, each representing a step in the process:

  • READ /:parent - used to check validity
  • READ /:template - used to generate the options for the new certificate
  • WRITE /:child_mount/intermediate/generate/:type - used to generate the csr
  • WRITE /:parent/sign-intermediate - used to sign the csr
  • WRITE /:child_mount/issuers/import/cert - used to import the new issuer, and the issuer chain
  • UPDATE /:child_mount/issuer/:issuer_refs - used to both name the new issuer, and also set the name of the parent in the issuer chain
  • READ /:child_mount/issuer/:new_issuer_ref - used to verify completion, generate the output

Examples

$ bao pki reissue -issuer_name="SecondDepartment" /pki_root/issuer/default /pki_int/issuer/FirstDepartment /pki_int_2/ common_name="second-department.example.com"
Key                               Value
---                               -----
ca_chain                          [-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIUdfRe05B5eRXsg3pvsJ/g94eYuWkwDQYJKoZIhvcNAQEL```