step ca certificate

NAME

step ca certificate – generate a new private key and certificate signed by the root certificate

USAGE

step ca certificate hostname crt-file key-file [–token=token] [–ca-url=uri] [–root=file] [–not-before=time|duration] [–not-after=time|duration]

DESCRIPTION

step ca certificate command generates a new certificate pair

POSITIONAL ARGUMENTS

hostname
The DNS or IP address that will be set as the subject for the certificate.
crt-file
File to write the certificate (PEM format)
key-file
File to write the private key (PEM format)

OPTIONS

–token=token
The one-time token used to authenticate with the CA in order to create the certificate.
–ca-url=URI
URI of the targeted Step Certificate Authority.
–root=file
The path to the PEM file used as the root certificate authority.
–not-before=time|duration
The time|duration set in the NotBefore (nbf) property of the token. If a time is used it is expected to be in RFC 3339 format. If a duration is used, it is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”.
–not-after=time|duration
The time|duration set in the Expiration (exp) property of the token. If a time is used it is expected to be in RFC 3339 format. If a duration is used, it is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”.
-f=value, –force=value
Force the overwrite of files without asking.

EXAMPLES

Request a new certificate for a given domain:

$ TOKEN=$(step ca token internal.example.com)
$ step ca certificate --token $TOKEN internal.example.com internal.crt internal.key

Request a new certificate with a 1h validity:

$ TOKEN=$(step ca token internal.example.com)
$ step ca certificate --token $TOKEN --not-after=1h internal.example.com internal.crt internal.key