step ca provisioner add

NAME

step ca provisioner add – add one or more provisioners the CA configuration

USAGE

step ca provisioner add name jwk-file [jwk-file …] [–ca-config=file] [–create] [–password-file=file]

DESCRIPTION

step ca provisioner add adds one or more provisioners to the configuration and writes the new configuration back to the CA config.

POSITIONAL ARGUMENTS

name
The name of the provisioners, if a list of JWK files are passed, this name will be linked to all the keys.
jwk-path
List of private (or public) keys in JWK or PEM format.

OPTIONS

–ca-config=file
The file containing the CA configuration.
–type=type
The type of provisioner to create. Type is a case-insensitive string
and must be one of:
JWK
Uses an JWK key pair to sign bootstrap tokens. (default)
OIDC
Uses an OpenID Connect provider to sign bootstrap tokens.
–create=value
Create a new ECDSA key pair using curve P-256 and populate a new JWK provisioner with it.
–client-id=id
The id used to validate the audience in an OpenID Connect token.
–client-secret=secret
The secret used to obtain the OpenID Connect tokens.
–configuration-endpoint=url
OpenID Connect configuration url.
–admin=email
The email of an admin user in an OpenID Connect provisioner, this user will not have restrictions in the certificates to sign. Use the ‘–admin’ flag multiple times to configure multiple administrators.
–domain=domain
The domain used to validate the email claim in an OpenID Connect provisioner. Use the ‘–domain’ flag multiple times to configure multiple domains.
–password-file=file
The path to the file containing the password to encrypt or decrypt the private key.
–password-file=file
The path to the file containing the password to encrypt or decrypt the private key.

EXAMPLES

Add a single JWK provisioner:

$ step ca provisioner add max@smallstep.com ./max-laptop.jwk --ca-config ca.json

Add a single JWK provisioner using an auto-generated asymmetric key pair:

$ step ca provisioner add max@smallstep.com --ca-config ca.json \
--create

Add a list of provisioners for a single name:

$ step ca provisioner add max@smallstep.com ./max-laptop.jwk ./max-phone.pem ./max-work.pem \
--ca-config ca.json

Add a single OIDC provisioner:

$ step ca provisioner add Google --type oidc --ca-config ca.json \
  --client-id 1087160488420-8qt7bavg3qesdhs6it824mhnfgcfe8il.apps.googleusercontent.com \
  --configuration-endpoint https://accounts.google.com/.well-known/openid-configuration

Add an OIDC provisioner with two administrators:

$ step ca provisioner add Google --type oidc --ca-config ca.json \
  --client-id 1087160488420-8qt7bavg3qesdhs6it824mhnfgcfe8il.apps.googleusercontent.com \
  --client-secret udTrOT3gzrO7W9fDPgZQLfYJ \
  --configuration-endpoint https://accounts.google.com/.well-known/openid-configuration \
  --admin mariano@smallstep.com --admin max@smallstep.com \
  --domain smallstep.com