step certificate

Name

step certificate -- create, revoke, validate, bundle, and otherwise manage certificates

Usage

step certificate SUBCOMMAND [ARGUMENTS] [GLOBAL_FLAGS] [SUBCOMMAND_FLAGS]

Description

step certificate command group provides facilities for creating certificate signing requests (CSRs), creating self-signed certificates (e.g., for use as a root certificate authority), generating leaf or intermediate CA certificate by signing a CSR, validating certificates, renewing certificates, generating certificate bundles, and key-wrapping of private keys.

Examples

Create a root certificate and private key using the default parameters (EC P-256 curve):

$ step certificate create foo foo.crt foo.key --profile root-ca

Create a leaf certificate and private key using the default parameters (EC P-256 curve):

$ step certificate create baz baz.crt baz.key --ca ./foo.crt --ca-key ./foo.key

Create a CSR and private key using the default parameters (EC P-256 curve):

$ step certificate create zap zap.csr zap.key --csr

Sign a CSR and generate a signed certificate:

$ step certificate sign zap.csr foo.crt foo.key

Inspect the contents of a certificate:

$ step certificate inspect ./baz.crt

Verify the signature of a certificate:

$ step certificate verify ./baz.crt --roots ./foo.crt

Lint the contents of a certificate to check for common errors and missing fields:

$ step certificate lint ./baz.crt

Bundle an end certificate with the issuing certificate:

$ step certificate bundle ./baz.crt ./foo.crt bundle.crt

Convert PEM format certificate to DER and write to disk.

$ step certificate format foo.pem --out foo.der

Extract the public key from a PEM encoded certificate:

$ step certificate key foo.crt

Install a root certificate in the system's default trust store:

$ step certificate install root-ca.crt

Uninstall a root certificate from the system's default trust store:

$ step certificate uninstall root-ca.crt

Commands

NameUsage
bundlebundle a certificate with intermediate certificate(s) needed for certificate path validation
createcreate a certificate or certificate signing request
formatreformat certificate
inspectprint certificate or CSR details in human readable format
fingerprintprint the fingerprint of a certificate
lintlint certificate details
needs-renewalCheck if a certificate needs to be renewed
signsign a certificate signing request (CSR)
verifyverify a certificate
keyprint public key embedded in a certificate
installinstall a root certificate in the supported trust stores
uninstalluninstall a root certificate from the supported trust stores
p12package a certificate and keys into a .p12 file