step ca certificate

NAME

step ca certificate – generate a new private key and certificate signed by the root certificate

USAGE

step ca certificate subject crt-file key-file [–token=token] [–ca-url=uri] [–root=file] [–not-before=time|duration] [–not-after=time|duration] [–san=SAN]

DESCRIPTION

step ca certificate command generates a new certificate pair

POSITIONAL ARGUMENTS

subject
The Common Name, DNS Name, or IP address that will be set as the Subject Common Name for the certificate. If no Subject Alternative Names (SANs) are configured (via the –san flag) then the subject will be set as the only SAN.
crt-file
File to write the certificate (PEM format)
key-file
File to write the private key (PEM format)

OPTIONS

–token=token
The one-time token used to authenticate with the CA in order to create the certificate.
–ca-url=URI
URI of the targeted Step Certificate Authority.
–root=file
The path to the PEM file used as the root certificate authority.
–not-before=time|duration
The time|duration set in the NotBefore (nbf) property of the token. If a time is used it is expected to be in RFC 3339 format. If a duration is used, it is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”.
–not-after=time|duration
The time|duration set in the Expiration (exp) property of the token. If a time is used it is expected to be in RFC 3339 format. If a duration is used, it is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”.
–san=value
Add DNS or IP Address Subjective Alternative Names (SANs) that the token is authorized to request. A certificate signing request using this token must match the complete set of subjective alternative names in the token 1:1. Use the ‘–san’ flag multiple times to configure multiple SANs. The ‘–san’ flag and the ‘–token’ flag are mutually exlusive.
-f=value, –force=value
Force the overwrite of files without asking.

EXAMPLES

Request a new certificate for a given domain. There are no additional SANs configured, therefore (by default) the subject will be used as the only SAN extension: DNS Name internal.example.com:

$ TOKEN=$(step ca token internal.example.com)
$ step ca certificate --token $TOKEN internal.example.com internal.crt internal.key

Request a new certificate with multiple Subject Alternative Names. The Subject Common Name of the certificate will be ‘foobar’. However, because additional SANs are configured using the –san flag and ‘foobar’ is not one of these, ‘foobar’ will not be in the SAN extensions of the certificate. The certificate will have 2 IP Address extensions (1.1.1.1, 10.2.3.4) and 1 DNS Name extension (hello.example.com):

$ step ca certificate --san 1.1.1.1 --san hello.example.com --san 10.2.3.4 foobar internal.crt internal.key

Request a new certificate with a 1h validity:

$ TOKEN=$(step ca token internal.example.com)
$ step ca certificate --token $TOKEN --not-after=1h internal.example.com internal.crt internal.key