step ca


step ca – initialize and manage a certificate authority


step ca subcommand [arguments] [global-flags] [subcommand-flags]


step ca command group provides facilities to initialize a certificate authority, retrieve the root of trust, sign and renew certificates, and create and manage provisioners.


Create the configuration for a new certificate authority:

$ step ca init

Configure the ca-url and root in the environment:

$ step ca bootstrap \
  --ca-url \
  --fingerprint 0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3
$ cat $STEPPATH/config/defaults.json
  "ca-url": "",
  "fingerprint": "0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3",
  "root": "/home/user/.step/certs/root_ca.crt"

Download the root_ca.crt:

$ step ca root root_ca.crt \
  --ca-url \
  --fingerprint 0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3

Get the Health status of the CA:

$ step ca health --ca-url --root /home/user/.step/certs/root_ca.crt

Create a new certificate using a token:

$ TOKEN=$(step ca token
$ step ca certificate internal.crt internal.key \
  --token $TOKEN --ca-url --root root_ca.crt

Renew a certificate (certificate must still be valid):

$ step ca renew internal.crt internal.key \
  --ca-url --root root_ca.crt


health get the status of the CA
init initialize the CA PKI
bootstrap initialize the environment to use the CA commands
token generate an OTT granting access to the CA
certificate generate a new private key and certificate signed by the root certificate
renew renew a valid certificate
revoke revoke a certificate
provisioner create and manage the certificate authority provisioners
sign generate a new certificate signing a certificate request
root download and validate the root certificate
roots download all the root certificates
federation download all the federated certificates