step ca sign

NAME

step ca sign – generate a new certificate signing a certificate request

USAGE

step ca sign csr-file crt-file [–token=token] [–ca-url=uri] [–root=file] [–not-before=time|duration] [–not-after=time|duration]

DESCRIPTION

step ca sign command signs the given csr and generates a new certificate.

POSITIONAL ARGUMENTS

csr-file
File with the certificate signing request (PEM format)
crt-file
File to write the certificate (PEM format)

OPTIONS

–token=token
The one-time token used to authenticate with the CA in order to create the certificate.
–ca-url=URI
URI of the targeted Step Certificate Authority.
–root=file
The path to the PEM file used as the root certificate authority.
–not-before=time|duration
The time|duration set in the NotBefore (nbf) property of the token. If a time is used it is expected to be in RFC 3339 format. If a duration is used, it is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”.
–not-after=time|duration
The time|duration set in the Expiration (exp) property of the token. If a time is used it is expected to be in RFC 3339 format. If a duration is used, it is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”.
-f=value, –force=value
Force the overwrite of files without asking.

EXAMPLES

Sign a new certificate for the given CSR:

$ TOKEN=$(step ca token internal.example.com)
$ step ca sign --token $TOKEN internal.csr internal.crt

Sign a new certificate with a 1h validity:

$ TOKEN=$(step ca token internal.example.com)
$ step ca sign --token $TOKEN --not-after=1h internal.csr internal.crt