There is no such parameter issuer_name for this endpoint.
Check it yourself with vault path-help:
$ vault path-help pki_int/intermediate/generate/internal
Request: intermediate/generate/internal
Matching Route: ^intermediate/generate/(?P<exported>\w(([\w-.]+)?\w)?)$
Generate a new CSR and private key used for signing.
## PARAMETERS
add_basic_constraints (bool)
Whether to add a Basic Constraints
extension with CA: true. Only needed as a
workaround in some compatibility scenarios
with Active Directory Certificate Services.
alt_names (string)
The requested Subject Alternative Names, if any,
in a comma-delimited list. May contain both
DNS names and email addresses.
common_name (string)
The requested common name; if you want more than
one, specify the alternative names in the alt_names
map. If not specified when signing, the common
name will be taken from the CSR; other names
must still be specified in alt_names or ip_sans.
country (slice)
If set, Country will be set to
this value.
exclude_cn_from_sans (bool)
If true, the Common Name will not be
included in DNS or Email Subject Alternate Names.
Defaults to false (CN is included).
exported (string)
Must be "internal", "exported" or "kms". If set to
"exported", the generated private key will be
returned. This is your *only* chance to retrieve
the private key!
format (string)
Format for returned data. Can be "pem", "der",
or "pem_bundle". If "pem_bundle", any private
key and issuing cert will be appended to the
certificate pem. If "der", the value will be
base64 encoded. Defaults to "pem".
ip_sans (slice)
The requested IP SANs, if any, in a
comma-delimited list
key_bits (int)
The number of bits to use. Allowed values are
0 (universal default); with rsa key_type: 2048 (default), 3072, or
4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with
ed25519.
key_name (string)
Provide a name to the generated or existing key, the name
must be unique across all keys and not be the reserved value 'default'
key_ref (string)
Reference to a existing key; either "default"
for the configured default key, an identifier or the name assigned
to the key.
key_type (string)
The type of key to use; defaults to RSA. "rsa"
"ec" and "ed25519" are the only valid values.
locality (slice)
If set, Locality will be set to
this value.
managed_key_id (string)
The name of the managed key to use when the exported
type is kms. When kms type is the key type, this field or managed_key_name
is required. Ignored for other types.
managed_key_name (string)
The name of the managed key to use when the exported
type is kms. When kms type is the key type, this field or managed_key_id
is required. Ignored for other types.
not_after (string)
Set the not after field of the certificate with specified date value.
The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ
not_before_duration (duration (sec))
The duration before now which the certificate needs to be backdated by.
organization (slice)
If set, O (Organization) will be set to
this value.
other_sans (slice)
Requested other SANs, in an array with the format
<oid>;UTF8:<utf8 string value> for each entry.
ou (slice)
If set, OU (OrganizationalUnit) will be set to
this value.
postal_code (slice)
If set, Postal Code will be set to
this value.
private_key_format (string)
Format for the returned private key.
Generally the default will be controlled by the "format"
parameter as either base64-encoded DER or PEM-encoded DER.
However, this can be set to "pkcs8" to have the returned
private key contain base64-encoded pkcs8 or PEM-encoded
pkcs8 instead. Defaults to "der".
province (slice)
If set, Province will be set to
this value.
serial_number (string)
The Subject's requested serial number, if any.
See RFC 4519 Section 2.31 'serialNumber' for a description of this field.
If you want more than one, specify alternative names in the alt_names
map using OID 2.5.4.5. This has no impact on the final certificate's
Serial Number field.
signature_bits (int)
The number of bits to use in the signature
algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for
SHA-2-512. Defaults to 0 to automatically detect based on key length
(SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).
street_address (slice)
If set, Street Address will be set to
this value.
ttl (duration (sec))
The requested Time To Live for the certificate;
sets the expiration date. If not specified
the role default, backend default, or system
default TTL is used, in that order. Cannot
be larger than the mount max TTL. Note:
this only has an effect when generating
a CA cert or signing a CA cert, not when
generating a CSR for an intermediate CA.
uri_sans (slice)
The requested URI SANs, if any, in a
comma-delimited list.
## DESCRIPTION
See the API documentation for more information.
Documentation which tells you otherwise is wrong.
This endpoint is neither creating nor using an issuer anyway, so specifying a name for one doesn’t make any sense.
It is possible the documentation author intended to suggest using the key_name parameter instead.