NAME

step ca sign – generate a new certificate signing a certificate request

USAGE

step ca sign csr-file crt-file [–token=token] [–issuer=name] [–ca-url=uri] [–root=file] [–not-before=time|duration] [–not-after=time|duration] [–acme=uri] [–standalone] [–webroot=path] [–contact=email] [–http-listen=address] [–console]

DESCRIPTION

step ca sign command signs the given csr and generates a new certificate.

POSITIONAL ARGUMENTS

csr-file
File with the certificate signing request (PEM format)
crt-file
File to write the certificate (PEM format)

OPTIONS

–ca-config=path
The path to the certificate authority configuration file. Defaults to $STEPPATH/config/ca.json
–ca-url=URI
URI of the targeted Step Certificate Authority.
-f, –force
Force the overwrite of files without asking.
–not-before=time|duration
The time|duration when the certificate validity period starts. If a time is used it is expected to be in RFC 3339 format. If a duration is used, it is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”.
–not-after=time|duration
The time|duration when the certificate validity period ends. If a time is used it is expected to be in RFC 3339 format. If a duration is used, it is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”.
–offline
Creates a certificate without contacting the certificate authority. Offline mode uses the configuration, certificates, and keys created with step ca init, but can accept a different configuration file using ‘–ca-config`’ flag.
–provisioner=name, –issuer=name
The provisioner name to use.
–root=file
The path to the PEM file used as the root certificate authority.
–token=token
The one-time token used to authenticate with the CA in order to create the certificate.
–console
Complete the flow while remaining inside the terminal
–acme=value
ACME directory URL to be used for requesting certificates via the ACME protocol. Use this flag to define an ACME server other than the Step CA. If this flag is absent and an ACME provisioner has been selected then the ‘–ca-url’ flag must be defined.
–standalone
Get a certificate using the ACME protocol and standalone mode for validation. Standalone is a mode in which the step process will run a server that will will respond to ACME challenge validation requests. Standalone is the default mode for serving challenge validation requests.
–webroot=value
Get a certificate using the ACME protocol and webroot mode for validation. Webroot is a mode in which the step process will write a challenge file to a location being served by an existing fileserver in order to respond to ACME challenge validation requests.
–contact=value
Email addresses for contact as part of the ACME protocol. These contacts may be used to warn of certificate expration or other certificate lifetime events. Use the ‘–contact’ flag multiple times to configure multiple contacts.
–http-listen=value
Use a non-standard http address, behind a reverse proxy or load balancer, for serving ACME challenges. The default address is :80, which requires super user (sudo) privileges. This flag must be used in conjunction with the ‘–standalone’ flag.

EXAMPLES

Sign a new certificate for the given CSR:

$ TOKEN=$(step ca token internal.example.com)
$ step ca sign --token $TOKEN internal.csr internal.crt

Sign a new certificate with a 1h validity:

$ TOKEN=$(step ca token internal.example.com)
$ step ca sign --token $TOKEN --not-after=1h internal.csr internal.crt

Sign a new certificate using the offline mode, requires the configuration files, certificates, and keys created with step ca init:

$ step ca sign --offline internal internal.csr internal.crt

step CA ACME - In order to use the step CA ACME protocol you must add a ACME provisioner to the step CA config. See step ca provisioner add -h.

Sign a CSR using the step CA ACME server and a standalone server to serve the challenges locally (standalone mode is the default):

$ step ca sign foo.csr foo.crt --provisioner my-acme-provisioner

Sign a CSR using the step CA ACME server and an existing server along with webroot mode to serve the challenges locally:

$ step ca sign foo.csr foo.crt \
  --provisioner my-acme-provisioner --webroot "./acme-www" \

Sign a CSR using the ACME protocol served by another online CA (not step CA, e.g. letsencrypt). NOTE: Let’s Encrypt requires that the Subject Common Name of a requested certificate be validated as an Identifier in the ACME order along with any other SANS. Therefore, the Common Name must be a valid DNS Name. The step CA does not impose this requirement.

$ step ca sign foo.csr foo.crt \
--acme https://acme-staging-v02.api.letsencrypt.org/directory