NAME

step ca – initialize and manage a certificate authority

USAGE

step ca subcommand [arguments] [global-flags] [subcommand-flags]

DESCRIPTION

step ca command group provides facilities to initialize a certificate authority, retrieve the root of trust, sign and renew certificates, and create and manage provisioners.

EXAMPLES

Create the configuration for a new certificate authority:

$ step ca init

Configure the ca-url and root in the environment:

$ step ca bootstrap \
  --ca-url https://ca.smallstep.com \
  --fingerprint 0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3
$ cat $STEPPATH/config/defaults.json
{
  "ca-url": "https://ca.smallstep.com",
  "fingerprint": "0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3",
  "root": "/home/user/.step/certs/root_ca.crt"
}

Download the root_ca.crt:

$ step ca root root_ca.crt \
  --ca-url https://ca.smallstep.com \
  --fingerprint 0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3

Get the Health status of the CA:

$ step ca health --ca-url https://ca.smallstep.com --root /home/user/.step/certs/root_ca.crt

Create a new certificate using a token:

$ TOKEN=$(step ca token internal.example.com)
$ step ca certificate internal.example.com internal.crt internal.key \
  --token $TOKEN --ca-url https://ca.smallstep.com --root root_ca.crt

Renew a certificate (certificate must still be valid):

$ step ca renew internal.crt internal.key \
  --ca-url https://ca.smallstep.com --root root_ca.crt

COMMANDS

healthget the status of the CA
initinitialize the CA PKI
bootstrapinitialize the environment to use the CA commands
tokengenerate an OTT granting access to the CA
certificategenerate a new private key and certificate signed by the root certificate
renewrenew a valid certificate
revokerevoke a certificate
provisionercreate and manage the certificate authority provisioners
signgenerate a new certificate signing a certificate request
rootdownload and validate the root certificate
rootsdownload all the root certificates
federationdownload all the federated certificates