Skip to content

Latest commit

 

History

History

ca

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
acme
acme
 
 
admin
admin
 
 
bootstrap
bootstrap
 
 
certificate
certificate
 
 
federation
federation
 
 
health
health
 
 
init
init
 
 
policy
policy
 
 
provisioner
provisioner
 
 
rekey
rekey
 
 
renew
renew
 
 
revoke
revoke
 
 
root
root
 
 
roots
roots
 
 
sign
sign
 
 
token
token
 
 
README.mdx
README.mdx
 
 

README.mdx

layout category title menu
auto-doc
reference
step ca
docs
parent children
step
health
init
bootstrap
token
certificate
rekey
renew
revoke
provisioner
sign
root
roots
federation
acme
policy
admin

Name

step ca -- initialize and manage a certificate authority

Usage

step ca <subcommand> [arguments] [global-flags] [subcommand-flags]

Description

step ca command group provides facilities to initialize a certificate authority, retrieve the root of trust, sign and renew certificates, and create and manage provisioners.

Examples

Create the configuration for a new certificate authority:

$ step ca init

Configure the ca-url and root in the environment:

$ step ca bootstrap \
  --ca-url https://ca.smallstep.com \
  --fingerprint 0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3
$ cat $STEPPATH/config/defaults.json
{
  "ca-url": "https://ca.smallstep.com",
  "fingerprint": "0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3",
  "root": "/home/user/.step/certs/root_ca.crt"
}

Download the root_ca.crt:

$ step ca root root_ca.crt \
  --ca-url https://ca.smallstep.com \
  --fingerprint 0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3

Get the Health status of the CA:

$ step ca health --ca-url https://ca.smallstep.com --root /home/user/.step/certs/root_ca.crt

Create a new certificate using a token:

$ TOKEN=$(step ca token internal.example.com)
$ step ca certificate internal.example.com internal.crt internal.key \
  --token $TOKEN --ca-url https://ca.smallstep.com --root root_ca.crt

Renew a certificate (certificate must still be valid):

$ step ca renew internal.crt internal.key \
  --ca-url https://ca.smallstep.com --root root_ca.crt

Commands

Name Usage
health get the status of the CA
init initialize the CA PKI
bootstrap initialize the environment to use the CA commands
token generate an OTT granting access to the CA
certificate generate a new private key and certificate signed by the root certificate
rekey rekey a certificate
renew renew a certificate
revoke revoke a certificate
provisioner create and manage the certificate authority provisioners
sign generate a new certificate from signing a certificate request
root download and validate the root certificate
roots download all the root certificates
federation download all the federated certificates
acme manage ACME settings
policy manage certificate issuance policies
admin create and manage the certificate authority admins