Menu
Products
Open Source
- Configure popular ACME clients to use a private CA
- Use Kubernetes cert-manager with
step-ca - Issue X.509 host certificates to cloud VMs
- Issue X.509 user certificates via your identity provider
- Create a CA that uses RSA keys
- Import an existing root or intermediate CA into
step-ca - Use Keycloak to issue SSH certificates with step-ca
- Run an SSH CA and connect to VMs using SSH certificates
- Use AWS to deploy a certificate authority and secure microservices
- Run
step-cain a Docker container - Federate multiple autonomous certificate authorities
Products
Open Source
- Configure popular ACME clients to use a private CA
- Use Kubernetes cert-manager with
step-ca - Issue X.509 host certificates to cloud VMs
- Issue X.509 user certificates via your identity provider
- Create a CA that uses RSA keys
- Import an existing root or intermediate CA into
step-ca - Use Keycloak to issue SSH certificates with step-ca
- Run an SSH CA and connect to VMs using SSH certificates
- Use AWS to deploy a certificate authority and secure microservices
- Run
step-cain a Docker container - Federate multiple autonomous certificate authorities
step crypto jws
Name
step crypto jws -- sign and verify data using JSON Web Signature (JWS)
Usage
step crypto jws <subcommand> [arguments] [global-flags] [subcommand-flags]
Description
JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures.
Examples
Create a signed JWS of a message using an Ed25519 private JWK (with line breaks for display purposes only):
$ echo -n message | step crypto jws sign --key ed25519.priv.json
eyJhbGciOiJFZERTQSIsImtpZCI6IjlxaVFZUFU3SHJTOXBYdXpYYzc1WGctMXc5c0JGM2lXVld2cDhieE5oc28ifQ
.
bWVzc2FnZQ
.
ZlJvznC3iE4zhwmnCL74UtHXEUs6pb62vf38GFBLbFMKnIFiOGpAFcNv3es-WvPHYfyIIClAjwCfe505gxz5BQ
Verify and display the message using the public key:
$ echo $TOKEN | step crypto jws verify --key ed25519.pub.json
message
Verify and display a JSON representation of the token, the message is base64 encoded in the payload:
$ echo $TOKEN | step crypto jws verify --key ed25519.pub.json --json
{
"header": {
"alg": "EdDSA",
"kid": "9qiQYPU7HrS9pXuzXc75Xg-1w9sBF3iWVWvp8bxNhso"
},
"payload": "bWVzc2FnZQ",
"signature": "ZlJvznC3iE4zhwmnCL74UtHXEUs6pb62vf38GFBLbFMKnIFiOGpAFcNv3es-WvPHYfyIIClAjwCfe505gxz5BQ"
}
Inspect the content of the JWS without verifying it:
$ echo $TOKEN | step crypto jws inspect --insecure
message
$ echo $TOKEN | step crypto jws inspect --insecure --json
{
"header": {
"alg": "EdDSA",
"kid": "9qiQYPU7HrS9pXuzXc75Xg-1w9sBF3iWVWvp8bxNhso"
},
"payload": "bWVzc2FnZQ",
"signature": "ZlJvznC3iE4zhwmnCL74UtHXEUs6pb62vf38GFBLbFMKnIFiOGpAFcNv3es-WvPHYfyIIClAjwCfe505gxz5BQ"
}
Using a JSON message using an P-256 curve and adding the content type json:
$ echo -n {"dns":"https://dns.example.com"} | step crypto jws sign --key p256.priv.json --cty json
eyJhbGciOiJFUzI1NiIsImN0eSI6Impzb24iLCJraWQiOiJWOTNBLVloN0JodzFXMkUwaWdGY2l2aUp6WDRQWFBzd29WZ3JpZWhtOUNvIn0
.
eyJkbnMiOiJodHRwczovL2Rucy5leGFtcGxlLmNvbSJ9
.
ZI8q75r3PCXeu-Tubw7bHiDGxloPpAHV2hNfEp9N4WM2r3Wsk5uFhAkBTVIqryPtxmAgfRHGnE3hj-3Dp9nZmA
$ echo $TOKEN | step crypto jws verify --key p256.pub.json
{"dns":"https://dns.example.com"}
$ echo $TOKEN | step crypto jws verify --key p256.pub.json --json
{
"header": {
"alg": "ES256",
"cty": "json",
"kid": "V93A-Yh7Bhw1W2E0igFciviJzX4PXPswoVgriehm9Co"
},
"payload": "eyJkbnMiOiJodHRwczovL2Rucy5leGFtcGxlLmNvbSJ9",
"signature": "ZI8q75r3PCXeu-Tubw7bHiDGxloPpAHV2hNfEp9N4WM2r3Wsk5uFhAkBTVIqryPtxmAgfRHGnE3hj-3Dp9nZmA"
}
Commands
Commands
Subscribe to updates
Unsubscribe anytime. See our privacy policy.
© 2023 Smallstep Labs, Inc. All rights reserved.