step certificate create

Name

step certificate create -- create a certificate or certificate signing request

Usage

step certificate create <subject> <crt-file> <key-file>
[--kms=<uri>] [--csr] [--profile=<profile>]
[--template=<file>] [--set=<key=value>] [--set-file=<file>]
[--not-before=<duration>] [--not-after=<duration>]
[--password-file=<file>] [--ca=<issuer-cert>]
[--ca-key=<issuer-key>] [--ca-password-file=<file>]
[--san=<SAN>] [--bundle] [--key=<file>]
[--kty=<type>] [--curve=<curve>] [--size=<size>]
[--no-password] [--insecure]

Description

step certificate create generates a certificate or a certificate signing request (CSR) that can be signed later using 'step certificate sign' (or some other tool) to produce a certificate.

By default this command creates x.509 certificates or CSRs for use with TLS. If you need something else, you can customize the output using templates. See TEMPLATES below.

Positional arguments

subject The subject of the certificate. Typically this is a hostname for services or an email address for people.

crt-file File to write CRT or CSR to (PEM format)

key-file File to write private key to (PEM format). This argument is optional if --key is passed.

Options

--kms=uri The uri to configure a Cloud KMS or an HSM.

--csr Generate a certificate signing request (CSR) instead of a certificate.

--profile=profile The certificate profile sets various certificate details such as certificate use and expiration. The default profile is 'leaf' which is suitable for a client or server using TLS.

profile is a case-sensitive string and must be one of:

--template=file The certificate template file, a JSON representation of the certificate to create.

--set=key=value The key=value pair with template data variables. Use the --set flag multiple times to add multiple variables.

--set-file=file The JSON file with the template data variables.

--password-file=file The path to the file containing the password to encrypt the new private key or decrypt the user submitted private key.

--ca=value The certificate authority used to issue the new certificate (PEM file).

--ca-key=value The certificate authority private key used to sign the new certificate (PEM file).

--ca-password-file=file The path to the file containing the password to decrypt the CA private key.

--key=file The file of the private key to use instead of creating a new one (PEM file).

--no-password Do not ask for a password to encrypt the private key. Sensitive key material will be written to disk unencrypted. This is not recommended. Requires --insecure flag.

--not-before=time|duration The time|duration set in the NotBefore property of the certificate. If a time is used it is expected to be in RFC 3339 format. If a duration is used, it is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

--not-after=time|duration The time|duration set in the NotAfter property of the certificate. If a time is used it is expected to be in RFC 3339 format. If a duration is used, it is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

--san=value Add DNS or IP Address Subjective Alternative Names (SANs). Use the '--san' flag multiple times to configure multiple SANs.

--bundle Bundle the new leaf certificate with the signing certificate. This flag requires the --ca flag.

--kty=kty The kty to build the certificate upon. If unset, default is EC.

kty is a case-sensitive string and must be one of:

--size=size The size (in bits) of the key for RSA and oct key types. RSA keys require a minimum key size of 2048 bits. If unset, default is 2048 bits for RSA keys and 128 bits for oct keys.

--crv=curve, --curve=curve The elliptic curve to use for EC and OKP key types. Corresponds to the "crv" JWK parameter. Valid curves are defined in JWA [RFC7518]. If unset, default is P-256 for EC keys and Ed25519 for OKP keys.

curve is a case-sensitive string and must be one of:

-f, --force Force the overwrite of files without asking.

--subtle

Exit codes

This command returns 0 on success and >0 if any error occurs.

Templates

With templates, you can customize the generated certificate or CSR. Templates are JSON files representing a certificate [1] or a certificate request [2]. They use Golang's text/template package [3] and Sprig functions [4].

Here's the default template used for generating a leaf certificate:

And this is the default template for a CSR:

In a custom template, you can change the subject, dnsNames, emailAddresses, ipAddresses, and uris, and you can add custom x.509 extensions or set the signatureAlgorithm.

For certificate templates, the common extensions keyUsage, extKeyUsage, and basicConstraints are also represented as JSON fields.

Two variables are available in templates: .Subject contains the subject argument, and .SANs contains the SANs provided with the --san flag.

Both .Subject and .SANs are objects, and they must be converted to JSON to be used in the template, you can do this using Sprig's toJson function. On the .Subject object you can access the common name string using the template variable .Subject.CommonName. In EXAMPLES below, you can see how these variables are used in a certificate request.

For more information on the template properties and functions see:

[1] https://pkg.go.dev/go.step.sm/crypto/x509util?tab=doc#Certificate
[2] https://pkg.go.dev/go.step.sm/crypto/x509util?tab=doc#CertificateRequest
[3] https://golang.org/pkg/text/template/
[4] https://masterminds.github.io/sprig/

Examples

Create a CSR and key:

Create a CSR using an existing private key:

Create a CSR using an existing encrypted private key:

Create a CSR and key with custom Subject Alternative Names:

Create a CSR and key - do not encrypt the key when writing to disk:

Create a root certificate and key:

Create an intermediate certificate and key:

Create a leaf certificate and key:

Create a leaf certificate and encrypt the private key:

Create a leaf certificate and decrypt the CA private key:

Create a leaf certificate and key with custom Subject Alternative Names:

Create a leaf certificate and key with custom validity:

Create a self-signed leaf certificate and key:

Create a root certificate and key with underlying OKP Ed25519:

Create an intermediate certificate and key with underlying EC P-256 key pair:

Create a leaf certificate and key with underlying RSA 2048 key pair:

Create a CSR and key with underlying OKP Ed25519:

Create a root certificate using a custom template. The root certificate will have a path length constraint that allows at least 2 intermediates:

Create an intermediate certificate using the previous root. By extending the maxPathLen we are enabling this intermediate sign leaf and intermediate certificates. We will also make the subject configurable using the --set and --set-file flags.

Sign a new intermediate using the previous intermediate, now with path length 0 using the --profile flag:

Create a leaf certificate, that is the default profile and bundle it with the two intermediate certificates and validate it:

Create a certificate request using a template:

Create a root certificate using step-kms-plugin:

Create an intermediate certificate using step-kms-plugin: