step beta ca provisioner add

Name

step beta ca provisioner add -- add a provisioner

Usage

step beta ca provisioner add <name> --type=JWK [--public-key=<file>]
[--private-key=<file>] [--create] [--password-file=<file>]
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]

step beta ca provisioner add <name> --type=OIDC
[--client-id=<id>] [--client-secret=<secret>]
[--configuration-endpoint=<url>] [--domain=<domain>]
[--admin=<email>]...
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]


step beta ca provisioner add <name> --type=X5C --x5c-root=<file>
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]

step beta ca provisioner add <name> --type=SSHPOP
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]

step beta ca provisioner add <name> --type=Nebula --nebula-root=<file>
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]

step beta ca provisioner add <name> --type=K8SSA [--public-key=<file>]
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]

step beta ca provisioner add <name> --type=[AWS|Azure|GCP]
[--aws-account=<id>] [--gcp-service-account=<name>] [--gcp-project=<name>]
[--azure-tenant=<id>] [--azure-resource-group=<name>]
[--instance-age=<duration>] [--iid-roots=<file>]
[--disable-custom-sans] [--disable-trust-on-first-use]
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]

step beta ca provisioner add <name> --type=ACME [--force-cn] [--require-eab]
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]

step beta ca provisioner add <name> --type=SCEP [--force-cn] [--challenge=<challenge>]
[--capabilities=<capabilities>] [--include-root] [--min-public-key-length=<length>]
[--encryption-algorithm-identifier=<id>] [--admin-cert=<file>] [--admin-key=<file>]
[--admin-provisioner=<string>] [--admin-subject=<string>] [--password-file=<file>]
[--ca-url=<uri>] [--root=<file>] [--context=<name>]

Description

step ca provisioner add adds a provisioner to the CA configuration.

WARNING: The 'beta' prefix is deprecated and will be removed in a future release. Please use 'step ca admin ...' going forwards.

Positional arguments

name The name of the provisioner.

Options

--type=type The type of provisioner to create.

type is a case-insensitive string and must be one of:

--x509-template=file The x509 certificate template file, a JSON representation of the certificate to create.

--x509-template-data=file The x509 certificate template data file, a JSON map of data that can be used by the certificate template.

--ssh-template=file The x509 certificate template file, a JSON representation of the certificate to create.

--ssh-template-data=file The ssh certificate template data file, a JSON map of data that can be used by the certificate template.

--x509-min-dur=duration The minimum duration for an x509 certificate generated by this provisioner.

--x509-max-dur=duration The maximum duration for an x509 certificate generated by this provisioner.

--x509-default-dur=duration The default duration for an x509 certificate generated by this provisioner.

--ssh-user-min-dur=duration The minimum duration for an ssh user certificate generated by this provisioner.

--ssh-user-max-dur=duration The maximum duration for an ssh user certificate generated by this provisioner.

--ssh-user-default-dur=duration The maximum duration for an ssh user certificate generated by this provisioner.

--ssh-host-min-dur=duration The minimum duration for an ssh host certificate generated by this provisioner.

--ssh-host-max-dur=duration The maximum duration for an ssh host certificate generated by this provisioner.

--ssh-host-default-dur=duration The maximum duration for an ssh host certificate generated by this provisioner.

--disable-renewal Disable renewal for all certificates generated by this provisioner.

--allow-renewal-after-expiry Allow renewals for expired certificates generated by this provisioner.

--x509 Enable provisioning of x509 certificates.

--ssh Enable provisioning of ssh certificates.

--create Create the JWK key pair for the provisioner.

--private-key=file The file containing the JWK private key.

--public-key=file The file containing the JWK public key. Or, a file containing one or more PEM formatted keys, if used with the K8SSA provisioner.

--client-id=id The id used to validate the audience in an OpenID Connect token.

--client-secret=secret The secret used to obtain the OpenID Connect tokens.

--listen-address=address The callback address used in the OpenID Connect flow (e.g. ":10000")

--configuration-endpoint=url OpenID Connect configuration url.

--admin=email The email of an admin user in an OpenID Connect provisioner, this user will not have restrictions in the certificates to sign. Use the '--admin' flag multiple times to configure multiple administrators.

--group=group The group list used to validate the groups extenstion in an OpenID Connect token. Use the '--group' flag multiple times to configure multiple groups.

--tenant-id=tenant-id The tenant-id used to replace the templatized {tenantid} in the OpenID Configuration.

--x5c-root=file Root certificate (chain) file used to validate the signature on X5C provisioning tokens.

--nebula-root=file Root certificate (chain) file used to validate the signature on Nebula provisioning tokens.

--force-cn Always set the common name in provisioned certificates.

--require-eab Require (and enable) External Account Binding for Account creation.

--challenge=challenge The SCEP challenge to use as a shared secret between a client and the CA

--capabilities=capabilities The SCEP capabilities to advertise

--include-root Include the CA root certificate in the SCEP CA certificate chain

--min-public-key-length=length The minimum public key length of the SCEP RSA encryption key

--encryption-algorithm-identifier=id The id for the SCEP encryption algorithm to use. Valid values are 0 - 4, inclusive. The values correspond to: 0: DES-CBC, 1: AES-128-CBC, 2: AES-256-CBC, 3: AES-128-GCM, 4: AES-256-GCM. Defaults to DES-CBC (0) for legacy clients.

--aws-account=id The AWS account id used to validate the identity documents. Use the flag multiple times to configure multiple accounts.

--azure-tenant=id The Microsoft Azure tenant id used to validate the identity tokens.

--azure-resource-group=name The Microsoft Azure resource group name used to validate the identity tokens. Use the flag multiple times to configure multiple resource groups

--azure-subscription-id=id The Microsoft Azure subscription id used to validate the identity tokens. Use the flag multiple times to configure multiple subscription IDs

--azure-object-id=id The Microsoft Azure AD object id used to validate the identity tokens. Use the flag multiple times to configure multiple object IDs

--gcp-service-account=email The Google service account email or id used to validate the identity tokens. Use the flag multiple times to configure multiple service accounts.

--gcp-project=id The Google project id used to validate the identity tokens. Use the flag multiple times to configure multiple projects

--instance-age=duration The maximum duration to grant a certificate in AWS and GCP provisioners. A duration is sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

--iid-roots=file The file containing the certificates used to validate the instance identity documents in AWS.

--disable-custom-sans On cloud provisioners, if enabled only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR.

--disable-trust-on-first-use, --disable-tofu On cloud provisioners, if enabled multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted.

--admin-cert=chain Admin certificate (chain) in PEM format to store in the 'x5c' header of a JWT.

--admin-key=file Private key file, used to sign a JWT, corresponding to the admin certificate that will be stored in the 'x5c' header.

--admin-provisioner=name, --admin-issuer=name The provisioner name to use for generating admin credentials.

--admin-subject=subject, --admin-name=subject The admin subject to use for generating admin credentials.

--password-file=file The path to the file containing the password to encrypt or decrypt the private key.

--ca-url=URI URI of the targeted Step Certificate Authority.

--root=file The path to the PEM file used as the root certificate authority.

--context=name The context name to apply for the given command.

Examples

Create a JWK provisioner with newly generated keys and a template for x509 certificates:

Create a JWK provisioner with duration claims:

Create a JWK provisioner with existing keys:

Create an OIDC provisioner:

Create an X5C provisioner:

Create an ACME provisioner:

Create an ACME provisioner, forcing a CN and requiring EAB:

Create an K8SSA provisioner:

Create an SSHPOP provisioner for renewing SSH host certificates:")

Create a SCEP provisioner with 'secret' challenge and AES-256-CBC encryption:

Create an Azure provisioner with two resource groups, one subscription ID and one object ID:

Create an GCP provisioner that will only accept the SANs provided in the identity token:

Create an AWS provisioner that will only accept the SANs provided in the identity document and will allow multiple certificates from the same instance:

Create an AWS provisioner that will use a custom certificate to validate the instance identity documents: