step ca bootstrap – initialize the environment to use the CA commands


step ca bootstrap [–ca-url=uri] [–fingerprint=fingerprint] [–install] [–team=name] [–team-url=url] [–redirect-url=url]


step ca bootstrap downloads the root certificate from the certificate authority and sets up the current environment to use it.

Bootstrap will store the root certificate in $STEPPATH/certs/root_ca.crt and create a configuration file in $STEPPATH/configs/defaults.json with the CA url, the root certificate location and its fingerprint.

After the bootstrap, ca commands do not need to specify the flags –ca-url, –root or –fingerprint if we want to use the same environment.


URI of the targeted Step Certificate Authority.
The fingerprint of the targeted root certificate.
Install the root certificate into the system truststore.
The team name used to bootstrap the environment.
The url step queries to retrieve initial team configuration. Only used with the –team option. If the url contains “<>” placeholders, they are replaced with the team name.
Terminal OAuth redirect url.
-f, –force
Force the overwrite of files without asking.


Bootstrap using the CA url and a fingerprint:

$ step ca bootstrap --ca-url \
  --fingerprint d9d0978692f1c7cc791f5c343ce98771900721405e834cd27b9502cc719f5097

Bootstrap and install the root certificate

$ step ca bootstrap --ca-url \
  --fingerprint d9d0978692f1c7cc791f5c343ce98771900721405e834cd27b9502cc719f5097 \

Bootstrap using a team name:

$ step ca bootstrap --team superteam

Bootstrap using a team in your environment, this requires an HTTP(S) server serving a JSON file like:

$ step ca bootstrap --team superteam --team-url