NAME

step ca provisioner add – add one or more provisioners the CA configuration

USAGE

step ca provisioner add name jwk-file [jwk-file …] –ca-config=file [–type=JWK] [–create] [–password-file=file]

step ca provisioner add name –type=OIDC –ca-config=file [–client-id=id] [–client-secret=secret] [–configuration-endpoint=url] [–domain=domain] [–admin=email]…

step ca provisioner add name –type=[AWS|Azure|GCP] –ca-config=file [–aws-account=id] [–gcp-service-account=name] [–gcp-project=name] [–azure-tenant=id] [–azure-resource-group=name] [–instance-age=duration] [–disable-custom-sans] [–disable-trust-on-first-use]

step ca provisioner add name –type=ACME –ca-config=file

DESCRIPTION

step ca provisioner add adds one or more provisioners to the configuration and writes the new configuration back to the CA config.

POSITIONAL ARGUMENTS

name
The name of the provisioners, if a list of JWK files are passed, this name will be linked to all the keys.
jwk-path
List of private (or public) keys in JWK or PEM format.

OPTIONS

–ca-config=file
The file containing the CA configuration.
–type=type

The type of provisioner to create. Type is a case-insensitive string and must be one of: JWK

Uses an JWK key pair to sign bootstrap tokens. (default)
OIDC
Uses an OpenID Connect provider to sign bootstrap tokens.
AWS
Uses Amazon AWS instance identity documents.
GCP
Use Google instance identity tokens.
Azure
Uses Microsoft Azure identity tokens.
ACME
Uses the ACME protocol to create certificates.
–create

Create a new ECDSA key pair using curve P-256 and populate a new JWK provisioner with it.

–client-id=id

The id used to validate the audience in an OpenID Connect token.

–client-secret=secret

The secret used to obtain the OpenID Connect tokens.

–configuration-endpoint=url

OpenID Connect configuration url.

–admin=email

The email of an admin user in an OpenID Connect provisioner, this user will not have restrictions in the certificates to sign. Use the ‘–admin’ flag multiple times to configure multiple administrators.

–domain=domain

The domain used to validate the email claim in an OpenID Connect provisioner. Use the ‘–domain’ flag multiple times to configure multiple domains.

–password-file=file

The path to the file containing the password to encrypt or decrypt the private key.

–aws-account=id

The AWS account id used to validate the identity documents. Use the flag multiple times to configure multiple accounts.

–gcp-service-account=email

The Google service account email or id used to validate the identity tokens. Use the flag multiple times to configure multiple service accounts.

–gcp-project=id

The Google project id used to validate the identity tokens. Use the flag multipl etimes to configure multiple projects

–azure-tenant=id

The Microsoft Azure tenant id used to validate the identity tokens.

–azure-resource-group=name

The Microsoft Azure resource group name used to validate the identity tokens. Use the flag multipl etimes to configure multiple resource groups

–instance-age=duration

The maximum duration to grant a certificate in AWS and GCP provisioners. A duration is sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”.

–disable-custom-sans

On cloud provisioners, if anabled only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR.

–disable-trust-on-first-use, –disable-tofu

On cloud provisioners, if enabled multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted.

EXAMPLES

Add a single JWK provisioner:

$ step ca provisioner add max@smallstep.com ./max-laptop.jwk --ca-config ca.json

Add a single JWK provisioner using an auto-generated asymmetric key pair:

$ step ca provisioner add max@smallstep.com --ca-config ca.json \
--create

Add a list of provisioners for a single name:

$ step ca provisioner add max@smallstep.com ./max-laptop.jwk ./max-phone.pem ./max-work.pem \
--ca-config ca.json

Add a single OIDC provisioner:

$ step ca provisioner add Google --type oidc --ca-config ca.json \
  --client-id 1087160488420-8qt7bavg3qesdhs6it824mhnfgcfe8il.apps.googleusercontent.com \
  --configuration-endpoint https://accounts.google.com/.well-known/openid-configuration

Add an OIDC provisioner with two administrators:

$ step ca provisioner add Google --type oidc --ca-config ca.json \
  --client-id 1087160488420-8qt7bavg3qesdhs6it824mhnfgcfe8il.apps.googleusercontent.com \
  --client-secret udTrOT3gzrO7W9fDPgZQLfYJ \
  --configuration-endpoint https://accounts.google.com/.well-known/openid-configuration \
  --admin mariano@smallstep.com --admin max@smallstep.com \
  --domain smallstep.com

Add an AWS provisioner on one account with a one hour of intance age:

$ step ca provisioner add Amazon --type AWS --ca-config ca.json \
  --aws-account 123456789 --instance-age 1h

Add an GCP provisioner with two service accounts and two project ids:

$ step ca provisioner add Google --type GCP --ca-config ca.json \
  --gcp-service-account 1234567890-compute@developer.gserviceaccount.com \
  --gcp-service-account 9876543210-compute@developer.gserviceaccount.com \
  --gcp-project identity --gcp-project accounting

Add an Azure provisioner with two service groups:

$ step ca provisioner add Azure --type Azure --ca-config ca.json \
  --azure-tenant bc9043e2-b645-4c1c-a87a-78f8644bfe57 \
  --azure-resource-group identity --azure-resource-group accounting

Add an GCP provisioner that will only accept the SANs provided in the identity token:

$ step ca provisioner add Google --type GCP --ca-config ca.json \
  --disable-custom-sans --gcp-project internal

Add an AWS provisioner that will only accept the SANs provided in the identity document and will allow multiple certificates from the same instance:

$ step ca provisioner add Amazon --type AWS --ca-config ca.json \
  --aws-account 123456789 --disable-custom-sans --disable-trust-on-first-use

Add an ACME provisioner.

$ step ca provisioner add acme-smallstep –type ACME –ca-config ca.json ```