Zero trust swiss army knife

We've built the step command line interface to be a swiss army knife for working with zero trust technologies. Create and sign certificates, inspect and verify JWTs, and forget about memorizing openssl usage for good.

TOKEN=$(step oauth --bare --oidc) GOOG="" echo $TOKEN | step crypto jwt verify --jwks $GOOG --subtle {
  "header": {
    "alg": "RS256",
    "kid": "9a33b5edb49d0867a8672d9573b1e0d2375886e1"
  "payload": {
    "azp": "",
    "aud": "",
    "sub": "107273808323495259178",
    "hd": "",
    "email": "",
    "email_verified": true,
    "at_hash": "1tQuEWqaCtRzKp6doePLyQ",
    "exp": 1533599080,
    "iss": "",
    "iat": 1533595480
  "signature": "jbmrziGKXtcWwdXeWf2bIX4hB9m4q4mQsTjtmBOcqsVfblkqvdI_hyAd4wqJsGw2qMg2RjLi6T8GPtjvs2z1rPbzbsEEr00QvjO-93VNKeGa6DcU9F5AET-gyDEYda1w-Sg-I35zgBGhDllb0rha6MNmJTzEZ8NXNQJOnaoK82lNarzp0A4sd0STb4vv5dUAJ4"

Installing step or brew install smallstep/smallstep/step

Open sourced on GitHub at smallstep/cli

What's included? Everything you need to work with certificates, tokens, JOSE structures (JWT, JWK, JWE, JWS), and common cryptography primitives.


Create a certificate authority and leaf X.509 certificates for use with TLS. Inspect and validate X.509 certificates.

step certificate create
Create an X.509 certificate or certificate signing request for use with TLS.

step certificate sign
Sign a certificate signing request (CSR) to produce a certificate.

step certificate bundle
Bundle a certificate with intermediate certificate(s) needed for certificate path validation.

step certificate inspect
Print X.509 certificate or CSR details in human readable format.

step certificate lint
Lint an X.509 certificate for cryptographic strength and RFC5280 compliance.

step certificate verify
Run certificate path validation on a certificate, checking signatures and validity dates.

JOSE (JWT and friends)

Tools to work with the JOSE (JSON Object Signing and Encryption) data structures.

JWK (JSON Web Key)

Create JWKs (JSON Web Keys) and manage JWK Sets.

step crypto jwk create
Create a JWK to use for signing or encrypting data.

step crypto jwk keyset
Add, remove, and find JWKs in JWK Sets.

step crypto jwk public
Extract a public JWK from a private JWK.

step crypto jwk thumbprint
Compute the JWK thumbprint for a JWK.

JWT (JSON Web Tokens)

Sign and verify claims using JSON Web Tokens (JWT).

step crypto jwt sign
Create a signed JWT data structure.

step crypto jwt verify
Verify a signed JWT data structure and return the payload.

step crypto jwt inspect
Print the decoded JWT without verification.

JWE (JSON Web Encryption)

Encrypt and decrypt data and keys using JSON Web Encryption (JWE).

step crypto jwe encrypt
Encrypt a payload using JWE.

step crypto jwe decrypt
Verify and decrypt a JWE, printing the decrypted plaintext.

JWS (JSON Web Signatures)

Sign and verify data using JSON Web Signatures (JWS).

step crypto jws sign
Sign some data and produce a JWS data structure.

step crypto jws verify
Verify a JWS data structure and return the payload.

step crypto jws inspect
Print the decoded JWS without verification.

JOSE Utilities

step crypto jose format
Convert between compact serialization and JSON serialization of JOSE data structures.


More useful cryptographic primitives.

step crypto hash
Generate and check hashes of files and directories.

step crypto kdf
Apply or check a password using a key derivation function (KDF).

step crypto nacl
Easy-to-use high-speed tools for encryption and signing.

step crypto keypair
Generate a public/private keypair in PEM format.

step crypto otp
Generate and verify OATH one-time passwords.