Menu
Products
Open Source
- Configure popular ACME clients to use a private CA
- Use Kubernetes cert-manager with
step-ca - Issue X.509 host certificates to cloud VMs
- Issue X.509 user certificates via your identity provider
- Create a CA that uses RSA keys
- Import an existing root or intermediate CA into
step-ca - Use Keycloak to issue SSH certificates with step-ca
- Run an SSH CA and connect to VMs using SSH certificates
- Use AWS to deploy a certificate authority and secure microservices
- Run
step-cain a Docker container - Federate multiple autonomous certificate authorities
Products
Open Source
- Configure popular ACME clients to use a private CA
- Use Kubernetes cert-manager with
step-ca - Issue X.509 host certificates to cloud VMs
- Issue X.509 user certificates via your identity provider
- Create a CA that uses RSA keys
- Import an existing root or intermediate CA into
step-ca - Use Keycloak to issue SSH certificates with step-ca
- Run an SSH CA and connect to VMs using SSH certificates
- Use AWS to deploy a certificate authority and secure microservices
- Run
step-cain a Docker container - Federate multiple autonomous certificate authorities
step beta ca provisioner
Name
step beta ca provisioner -- create and manage the certificate authority provisioners
Usage
step beta ca provisioner <subcommand> [arguments] [global-flags] [subcommand-flags]
Description
step beta ca provisioner command group provides facilities for managing the certificate authority provisioners.
WARNING: The 'beta' prefix is deprecated and will be removed in a future release. Please use 'step ca provisioner ...' going forwards.
A provisioner is an entity that controls provisioning credentials, which are used to generate provisioning tokens.
Provisioning credentials are simple JWK key pairs using public-key cryptography. The public key is used to verify a provisioning token while the private key is used to sign the provisioning token.
Provisioning tokens are JWT tokens signed by the JWK private key. These JWT tokens are used to get a valid TLS certificate from the certificate authority. Each provisioner is able to manage a different set of rules that can be used to configure the bounds of the certificate.
In the certificate authority, a provisioner is configured with a JSON object with the following properties:
- name: the provisioner name, it will become the JWT issuer and a good practice is to use an email address for this.
- type: the provisioner type, currently only "jwk" is supported.
- key: the JWK public key used to verify the provisioning tokens.
- encryptedKey (optional): the JWE compact serialization of the private key used to sign the provisioning tokens.
- claims (optional): an object with custom options for each provisioner.
Options supported are:
- minTLSCertDuration: minimum duration of a certificate, set to 5m by default.
- maxTLSCertDuration: maximum duration of a certificate, set to 24h by default.
- defaultTLSCertDuration: default duration of the certificate, set to 24h by default.
- disableRenewal: whether or not to disable certificate renewal, set to false by default.
- allowRenewalAfterExpiry: whether or not to allow certificate renewal of expired certificates, set to false by default.
Examples
Add a single provisioner:
$ step beta ca provisioner add max@smallstep.com --type JWK --create
Remove a provisioner:
$ step beta ca provisioner remove max@smallstep.com
Commands
Commands
Subscribe to updates
Unsubscribe anytime. See our privacy policy.
© 2023 Smallstep Labs, Inc. All rights reserved.