Menu
Products
Open Source
- Configure popular ACME clients to use a private CA
- Use Kubernetes cert-manager with
step-ca - Issue X.509 host certificates to cloud VMs
- Issue X.509 user certificates via your identity provider
- Create a CA that uses RSA keys
- Import an existing root or intermediate CA into
step-ca - Use Keycloak to issue SSH certificates with step-ca
- Run an SSH CA and connect to VMs using SSH certificates
- Use AWS to deploy a certificate authority and secure microservices
- Run
step-cain a Docker container - Federate multiple autonomous certificate authorities
Products
Open Source
- Configure popular ACME clients to use a private CA
- Use Kubernetes cert-manager with
step-ca - Issue X.509 host certificates to cloud VMs
- Issue X.509 user certificates via your identity provider
- Create a CA that uses RSA keys
- Import an existing root or intermediate CA into
step-ca - Use Keycloak to issue SSH certificates with step-ca
- Run an SSH CA and connect to VMs using SSH certificates
- Use AWS to deploy a certificate authority and secure microservices
- Run
step-cain a Docker container - Federate multiple autonomous certificate authorities
step ca
Name
step ca -- initialize and manage a certificate authority
Usage
step ca <subcommand> [arguments] [global-flags] [subcommand-flags]
Description
step ca command group provides facilities to initialize a certificate authority, retrieve the root of trust, sign and renew certificates, and create and manage provisioners.
Examples
Create the configuration for a new certificate authority:
$ step ca init
Configure the ca-url and root in the environment:
$ step ca bootstrap \
--ca-url https://ca.smallstep.com \
--fingerprint 0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3
$ cat $STEPPATH/config/defaults.json
{
"ca-url": "https://ca.smallstep.com",
"fingerprint": "0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3",
"root": "/home/user/.step/certs/root_ca.crt"
}
Download the root_ca.crt:
$ step ca root root_ca.crt \
--ca-url https://ca.smallstep.com \
--fingerprint 0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3
Get the Health status of the CA:
$ step ca health --ca-url https://ca.smallstep.com --root /home/user/.step/certs/root_ca.crt
Create a new certificate using a token:
$ TOKEN=$(step ca token internal.example.com)
$ step ca certificate internal.example.com internal.crt internal.key \
--token $TOKEN --ca-url https://ca.smallstep.com --root root_ca.crt
Renew a certificate (certificate must still be valid):
$ step ca renew internal.crt internal.key \
--ca-url https://ca.smallstep.com --root root_ca.crt
Commands
| Name | Usage |
|---|---|
| health | get the status of the CA |
| init | initialize the CA PKI |
| bootstrap | initialize the environment to use the CA commands |
| token | generate an OTT granting access to the CA |
| certificate | generate a new private key and certificate signed by the root certificate |
| rekey | rekey a certificate |
| renew | renew a certificate |
| revoke | revoke a certificate |
| provisioner | create and manage the certificate authority provisioners |
| sign | generate a new certificate signing a certificate request |
| root | download and validate the root certificate |
| roots | download all the root certificates |
| federation | download all the federated certificates |
| acme | manage ACME settings |
| policy | manage certificate issuance policies |
| admin | create and manage the certificate authority admins |
Subscribe to updates
Unsubscribe anytime. See our privacy policy.
© 2023 Smallstep Labs, Inc. All rights reserved.