step ca token

NAME

step ca token – generate an OTT granting access to the CA

USAGE

step ca token hostname [–kid=kid] [–issuer=issuer] [–ca-url=uri] [–root=file] [–not-before=time|duration] [–not-after=time|duration] [–password-file=file] [–output-file=file] [–key=file] [–offline]

DESCRIPTION

step ca token command generates a one-time token granting access to the certificates authority.

POSITIONAL ARGUMENTS

hostname
The DNS or IP address that will be set by the certificate authority.

OPTIONS

–kid=kid
The provisioner kid to use.
–issuer=name
The provisioner name to use.
–ca-url=URI
URI of the targeted Step Certificate Authority.
–root=file
The path to the PEM file used as the root certificate authority.
–not-before=time|duration
The time|duration set in the NotBefore (nbf) property of the token. If a time is used it is expected to be in RFC 3339 format. If a duration is used, it is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”.
–not-after=time|duration
The time|duration set in the Expiration (exp) property of the token. If a time is used it is expected to be in RFC 3339 format. If a duration is used, it is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”.
–password-file=file
The path to the file containing the password to decrypt the one-time token generating key.
–output-file=file
The destination file of the generated one-time token.
–key=file
The private key file used to sign the JWT. This is usually downloaded from the certificate authority.
–offline=--kid
Creates a token without contacting the certificate authority. Offline mode requires the flags --kid, --issuer, --key, --ca-url, and --root.
-f=value, –force=value
Force the overwrite of files without asking.

EXAMPLES

Most of the following examples assumes that –ca-url and –root are set using environment variables or the default configuration file in $STEPPATH/config/defaults.json.

Get a new token for a DNS:

$ step ca token internal.example.com

Get a new token for an IP address:

$ step ca token 192.168.10.10

Get a new token that would be valid not, but expires in 30 minutes:

$ step ca token --not-after 30m internal.example.com

Get a new token that is not valid for 30 and expires 5 minutes after that:

$ step ca token --not-before 30m --not-after 35m internal.example.com

Get a new token signed with the given private key, the public key must be configured in the certificate authority:

$ step ca token internal.smallstep.com --key token.key

Get a new token for a specific provisioner kid, ca-url and root:

$ step ca token internal.example.com \
    --kid 4vn46fbZT68Uxfs9LBwHkTvrjEvxQqx-W8nnE-qDjts \
    --ca-url https://ca.example.com \
    --root /path/to/root_ca.crt

Get a new token using the offline mode:

$ step ca token internal.example.com \
    --offline \
    --kid 4vn46fbZT68Uxfs9LBwHkTvrjEvxQqx-W8nnE-qDjts \
    --issuer you@example.com \
    --key provisioner.key \
    --ca-url https://ca.example.com \
    --root /path/to/root_ca.crt