We've built the
step command line interface to be a swiss army knife for working with zero trust technologies. Create and sign certificates, inspect and verify JWTs, and forget about memorizing
openssl usage for good.
brew install smallstep/smallstep/step
What's included? Everything you need to work with certificates, tokens, JOSE structures (JWT, JWK, JWE, JWS), and common cryptography primitives.
Create a certificate authority and leaf X.509 certificates for use with TLS. Inspect and validate X.509 certificates.
step certificate create
Create an X.509 certificate or certificate signing request for use with TLS.
step certificate sign
Sign a certificate signing request (CSR) to produce a certificate.
step certificate bundle
Bundle a certificate with intermediate certificate(s) needed for certificate path validation.
step certificate inspect
Print X.509 certificate or CSR details in human readable format.
step certificate lint
Lint an X.509 certificate for cryptographic strength and RFC5280 compliance.
step certificate verify
Run certificate path validation on a certificate, checking signatures and validity dates.
step certificate format
step certificate fingerprint
Print the fingerprint of a certificate.
Subcommands to interact with
step certificates’ (Online Certificate Authority) APIs.
step ca init
Initialize the CA PKI.
step ca token
Generate an one-time token granting access to the CA.
step ca certificate
Generate a new certificate pair signed by the root certificate.
step ca bootstrap
Initialize the environment to use the CA commands.
step ca sign
Generate a new private key and certificate signed by the root certificate.
step ca root
Download and validate the root certificate.
step ca renew
Renew a valid certificate.
step ca provisioner
Create and manage the certificate authority provisioners.
step ca health
Get the status of the CA.
Tools to work with the JOSE (JSON Object Signing and Encryption) data structures.
Create JWKs (JSON Web Keys) and manage JWK Sets.
step crypto jwk create
Create a JWK to use for signing or encrypting data.
step crypto jwk keyset
Add, remove, and find JWKs in JWK Sets.
step crypto jwk public
Extract a public JWK from a private JWK.
step crypto jwk thumbprint
Compute the JWK thumbprint for a JWK.
Sign and verify claims using JSON Web Tokens (JWT).
step crypto jwt sign
Create a signed JWT data structure.
step crypto jwt verify
Verify a signed JWT data structure and return the payload.
step crypto jwt inspect
Print the decoded JWT without verification.
Encrypt and decrypt data and keys using JSON Web Encryption (JWE).
step crypto jwe encrypt
Encrypt a payload using JWE.
step crypto jwe decrypt
Verify and decrypt a JWE, printing the decrypted plaintext.
Sign and verify data using JSON Web Signatures (JWS).
step crypto jws sign
Sign some data and produce a JWS data structure.
step crypto jws verify
Verify a JWS data structure and return the payload.
step crypto jws inspect
Print the decoded JWS without verification.
step crypto jose format
Convert between compact serialization and JSON serialization of JOSE data structures.
More useful cryptographic primitives.
step crypto hash
Generate and check hashes of files and directories.
step crypto key
step crypto kdf
Apply or check a password using a key derivation function (KDF).
step crypto nacl
Easy-to-use high-speed tools for encryption and signing.
step crypto keypair
Generate a public / private keypair in PEM format.
step crypto otp
Generate and verify OATH one-time passwords.
step crypto change-pass
Change password of an encrypted private key (PEM or JWK format).