Zero trust swiss army knife

We've built the step command line interface to be a swiss army knife for working with zero trust technologies. Create and sign certificates, inspect and verify JWTs, and forget about memorizing openssl usage for good.

TOKEN=$(step oauth --bare --oidc) GOOG="" echo $TOKEN | step crypto jwt verify --jwks $GOOG --subtle {
  "header": {
    "alg": "RS256",
    "kid": "9a33b5edb49d0867a8672d9573b1e0d2375886e1"
  "payload": {
    "azp": "",
    "aud": "",
    "sub": "107273808323495259178",
    "hd": "",
    "email": "",
    "email_verified": true,
    "at_hash": "1tQuEWqaCtRzKp6doePLyQ",
    "exp": 1533599080,
    "iss": "",
    "iat": 1533595480
  "signature": "jbmrziGKXtcWwdXeWf2bIX4hB9m4q4mQsTjtmBOcqsVfblkqvdI_hyAd4wqJsGw2qMg2RjLi6T8GPtjvs2z1rPbzbsEEr00QvjO-93VNKeGa6DcU9F5AET-gyDEYda1w-Sg-I35zgBGhDllb0rha6MNmJTzEZ8NXNQJOnaoK82lNarzp0A4sd0STb4vv5dUAJ4"

Installing step or brew install step

Open sourced on GitHub:
Star Watch Fork

What's included? Everything you need to work with certificates, tokens, JOSE structures (JWT, JWK, JWE, JWS), and common cryptography primitives.


Create a certificate authority and leaf X.509 certificates for use with TLS. Inspect and validate X.509 certificates.

step certificate create Create an X.509 certificate or certificate signing request for use with TLS.

step certificate sign Sign a certificate signing request (CSR) to produce a certificate.

step certificate bundle Bundle a certificate with intermediate certificate(s) needed for certificate path validation.

step certificate inspect Print X.509 certificate or CSR details in human readable format.

step certificate lint Lint an X.509 certificate for cryptographic strength and RFC5280 compliance.

step certificate verify Run certificate path validation on a certificate, checking signatures and validity dates.

step certificate format Reformat certificate.

step certificate fingerprint Print the fingerprint of a certificate.

step certificate key Print public key embedded in a certificate.

step certificate install Install a root certificate in the system truststore.

step certificate uninstall Uninstall a root certificate from the system truststore

Online Certificate Authority

Subcommands to interact with step certificates’ (Online Certificate Authority) APIs.

step ca init Initialize the CA PKI.

step ca token Generate an one-time token granting access to the CA.

step ca certificate Generate a new private key and certificate signed by the root certificate.

step ca bootstrap Initialize the environment to use the CA commands.

step ca sign Generate a new certificate signing a certificate request.

step ca root Download and validate the root certificate.

step ca roots Download all the root certificates.

step ca renew Renew a valid certificate.

step ca revoke Revoke a certificate.

step ca provisioner Create and manage the certificate authority provisioners.

step ca health Get the status of the CA.

step ca federation Download all the federated certificates.

JOSE (JWT and friends)

Tools to work with the JOSE (JSON Object Signing and Encryption) data structures.

JWK (JSON Web Key)

Create JWKs (JSON Web Keys) and manage JWK Sets.

step crypto jwk create Create a JWK to use for signing or encrypting data.

step crypto jwk keyset Add, remove, and find JWKs in JWK Sets.

step crypto jwk public Extract a public JWK from a private JWK.

step crypto jwk thumbprint Compute the JWK thumbprint for a JWK.

JWT (JSON Web Tokens)

Sign and verify claims using JSON Web Tokens (JWT).

step crypto jwt sign Create a signed JWT data structure.

step crypto jwt verify Verify a signed JWT data structure and return the payload.

step crypto jwt inspect Print the decoded JWT without verification.

JWE (JSON Web Encryption)

Encrypt and decrypt data and keys using JSON Web Encryption (JWE).

step crypto jwe encrypt Encrypt a payload using JWE.

step crypto jwe decrypt Verify and decrypt a JWE, printing the decrypted plaintext.

JWS (JSON Web Signatures)

Sign and verify data using JSON Web Signatures (JWS).

step crypto jws sign Sign some data and produce a JWS data structure.

step crypto jws verify Verify a JWS data structure and return the payload.

step crypto jws inspect Print the decoded JWS without verification.

JOSE Utilities

step crypto jose format Convert between compact serialization and JSON serialization of JOSE data structures.


More useful cryptographic primitives.

step crypto hash Generate and check hashes of files and directories.

step crypto key Manage keys.

step crypto kdf Apply or check a password using a key derivation function (KDF).

step crypto nacl Easy-to-use high-speed tools for encryption and signing.

step crypto keypair Generate a public / private keypair in PEM format.

step crypto otp Generate and verify OATH one-time passwords.

step crypto change-pass Change password of an encrypted private key (PEM or JWK format).