step ca


step ca -- initialize and manage a certificate authority


step ca <subcommand> [arguments] [global-flags] [subcommand-flags]


step ca command group provides facilities to initialize a certificate authority, retrieve the root of trust, sign and renew certificates, and create and manage provisioners.


Create the configuration for a new certificate authority:

$ step ca init

Configure the ca-url and root in the environment:

$ step ca bootstrap \ --ca-url \ --fingerprint 0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3 $ cat $STEPPATH/config/defaults.json { "ca-url": "", "fingerprint": "0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3", "root": "/home/user/.step/certs/root_ca.crt" }

Download the root_ca.crt:

$ step ca root root_ca.crt \ --ca-url \ --fingerprint 0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3

Get the Health status of the CA:

$ step ca health --ca-url --root /home/user/.step/certs/root_ca.crt

Create a new certificate using a token:

$ TOKEN=$(step ca token $ step ca certificate internal.crt internal.key \ --token $TOKEN --ca-url --root root_ca.crt

Renew a certificate (certificate must still be valid):

$ step ca renew internal.crt internal.key \ --ca-url --root root_ca.crt


healthget the status of the CA
initinitialize the CA PKI
bootstrapinitialize the environment to use the CA commands
tokengenerate an OTT granting access to the CA
certificategenerate a new private key and certificate signed by the root certificate
rekeyrekey a certificate
renewrenew a certificate
revokerevoke a certificate
provisionercreate and manage the certificate authority provisioners
signgenerate a new certificate signing a certificate request
rootdownload and validate the root certificate
rootsdownload all the root certificates
federationdownload all the federated certificates
acmemanage ACME settings
policymanage certificate issuance policies
admincreate and manage the certificate authority admins