step ca

NAME

step ca – initialize and manage a certificate authority

USAGE

step ca subcommand [arguments] [global-flags] [subcommand-flags]

DESCRIPTION

step ca command group provides facilities to initialize a certificate authority, retrieve the root of trust, sign and renew certificates, and create and manage provisioners.

EXAMPLES

Create the configuration for a new certificate authority:

$ step ca init

Configure the ca-url and root in the environment:

$ step ca bootstrap \
  --ca-url https://ca.smallstep.com \
  --fingerprint 0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3
$ cat $STEPPATH/config/defaults.json
{
  "ca-url": "https://ca.smallstep.com",
  "fingerprint": "0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3",
  "root": "/home/user/.step/certs/root_ca.crt"
}

Download the root_ca.crt:

$ step ca root root_ca.crt \
  --ca-url https://ca.smallstep.com \
  --fingerprint 0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3

Get the Health status of the CA:

$ step ca health --ca-url https://ca.smallstep.com --root /home/user/.step/certs/root_ca.crt

Create a new certificate using a token:

$ TOKEN=$(step ca token internal.example.com)
$ step ca certificate internal.example.com internal.crt internal.key \
  --token $TOKEN --ca-url https://ca.smallstep.com --root root_ca.crt

Renew a certificate (certificate must still be valid):

$ step ca renew internal.crt internal.key \
  --ca-url https://ca.smallstep.com --root root_ca.crt

COMMANDS

   
health get the status of the CA
init initialize the CA PKI
bootstrap initialize the environment to use the CA commands
token generate an OTT granting access to the CA
certificate generate a new private key and certificate signed by the root certificate
renew renew a valid certificate
root download and validate the root certificate
provisioner create and manage the certificate authority provisioners
sign generate a new certificate signing a certificate request