Menu
Products
Open Source
- Configure popular ACME clients to use a private CA
- Use Kubernetes cert-manager with
step-ca - Issue X.509 host certificates to cloud VMs
- Issue X.509 user certificates via your identity provider
- Create a CA that uses RSA keys
- Import an existing root or intermediate CA into
step-ca - Use Keycloak to issue SSH certificates with step-ca
- Run an SSH CA and connect to VMs using SSH certificates
- Use AWS to deploy a certificate authority and secure microservices
- Run
step-cain a Docker container - Federate multiple autonomous certificate authorities
Products
Open Source
- Configure popular ACME clients to use a private CA
- Use Kubernetes cert-manager with
step-ca - Issue X.509 host certificates to cloud VMs
- Issue X.509 user certificates via your identity provider
- Create a CA that uses RSA keys
- Import an existing root or intermediate CA into
step-ca - Use Keycloak to issue SSH certificates with step-ca
- Run an SSH CA and connect to VMs using SSH certificates
- Use AWS to deploy a certificate authority and secure microservices
- Run
step-cain a Docker container - Federate multiple autonomous certificate authorities
step crypto keypair
Name
step crypto keypair -- generate a public / private keypair in PEM format
Usage
step crypto keypair <pub_file> <priv_file>
[--kty=<key-type>] [--curve=<curve>] [--size=<size>]
[--password-file=<file>] [--no-password] [--insecure]
Description
step crypto keypair generates a raw public / private keypair in PEM format. These keys can be used by other operations to sign and encrypt data, and the public key can be bound to an identity in a CSR and signed by a CA to produce a certificate.
Private keys are encrypted using a password. You'll be prompted for this password automatically when the key is used.
Positional arguments
pub_file
The path to write the public key.
priv_file
The path to write the private key.
Options
--kty=kty
The kty to build the certificate upon.
If unset, default is EC.
kty is a case-sensitive string and must be one of:
EC: Create an elliptic curve keypair
OKP: Create an octet key pair (for "Ed25519" curve)
RSA: Create an RSA keypair
--size=size
The size (in bits) of the key for RSA and oct key types. RSA keys require a
minimum key size of 2048 bits. If unset, default is 2048 bits for RSA keys and 128 bits for oct keys.
--crv=curve, --curve=curve
The elliptic curve to use for EC and OKP key types. Corresponds
to the "crv" JWK parameter. Valid curves are defined in JWA [RFC7518]. If
unset, default is P-256 for EC keys and Ed25519 for OKP keys.
curve is a case-sensitive string and must be one of:
P-256: NIST P-256 Curve
P-384: NIST P-384 Curve
P-521: NIST P-521 Curve
Ed25519: Ed25519 Curve
--from-jwk=jwk-file
Create a PEM representing the key encoded in an
existing jwk-file instead of creating a new key.
--password-file=file
The path to the file containing the password to encrypt or decrypt the private key.
--no-password Do not ask for a password to encrypt a private key. Sensitive key material will be written to disk unencrypted. This is not recommended. Requires --insecure flag.
--insecure
-f, --force Force the overwrite of files without asking.
Exit codes
This command returns 0 on success and >0 if any error occurs.
Examples
Create an RSA public / private key pair with 4096 bits:
$ step crypto keypair foo.pub foo.key --kty RSA --size 4096
Create an RSA public / private key with fewer than the recommended number of bits (recommended `= 2048 bits):
$ step crypto keypair foo.pub foo.key --kty RSA --size 1024 --insecure
Create an EC public / private key pair with curve P-521:
$ step crypto keypair foo.pub foo.key --kty EC --curve "P-521"
Create an EC public / private key pair but do not encrypt the private key file:
$ step crypto keypair foo.pub foo.key --kty EC --curve "P-256" \
--no-password --insecure
Create an Octet Key Pair with curve Ed25519:
$ step crypto keypair foo.pub foo.key --kty OKP --curve Ed25519
Subscribe to updates
Unsubscribe anytime. See our privacy policy.
© 2023 Smallstep Labs, Inc. All rights reserved.