step certificate create

NAME

step certificate create – create a certificate or certificate signing request

USAGE

step certificate create subject crt_file key_file [ca=issuer-cert] [ca-key=issuer-key] [–csr] [–curve=curve] [no-password] [–profile=profile] [–size=size] [–type=type]

DESCRIPTION

step certificate create generates a certificate or a certificate signing requests (CSR) that can be signed later using ‘step certificates sign’ (or some other tool) to produce a certificate.

This command creates x.509 certificates for use with TLS.

POSITIONAL ARGUMENTS

subject
The subject of the certificate. Typically this is a hostname for services or an email address for people.
crt_file
File to write CRT or CSR to (PEM format)
key_file
File to write private key to (PEM format)

OPTIONS

–ca=value
The certificate authority used to issue the new certificate (PEM file).
–ca-key=value
The certificate authority private key used to sign the new certificate (PEM file).
–csr=value
Generate a certificate signing request (CSR) instead of a certificate.
–no-password=value
Do not ask for a password to encrypt the private key. Sensitive key material will be written to disk unencrypted. This is not recommended. Requires –insecure flag.
–profile=profile
The certificate profile sets various certificate details such as certificate use and expiration. The default profile is ‘leaf’ which is suitable for a client or server using TLS.

profile is a case-sensitive string and must be one of:

leaf
Generate a leaf x.509 certificate suitable for use with TLs.
intermediate-ca
Generate a certificate that can be used to sign additional leaf or intermediate certificates.
root-ca
Generate a new self-signed root certificate suitable for use as a root CA.
–kty=kty
The kty to build the certificate upon. If unset, default is EC.

kty is a case-sensitive string and must be one of:

EC
Create an elliptic curve keypair
OKP
Create an octet key pair (for “Ed25519” curve)
RSA
Create an RSA keypair
–size=size
The size (in bits) of the key for RSA and oct key types. RSA keys require a minimum key size of 2048 bits. If unset, default is 2048 bits for RSA keys and 128 bits for oct keys.
–crv=curve, –curve=curve
The elliptic curve to use for EC and OKP key types. Corresponds to the “crv” JWK parameter. Valid curves are defined in JWA [RFC7518]. If unset, default is P-256 for EC keys and Ed25519 for OKP keys.

curve is a case-sensitive string and must be one of:

P-256
NIST P-256 Curve
P-384
NIST P-384 Curve
P-521
NIST P-521 Curve
Ed25519
Ed25519 Curve
-f=value, –force=value
Force the overwrite of files without asking.

EXIT CODES

This command returns 0 on success and >0 if any error occurs.

EXAMPLES

Create a CSR and key:

$ step certificate create foo foo.csr foo.key --csr

Create a CSR and key - do not encrypt the key when writing to disk:

$ step certificate create foo foo.csr foo.key --csr --no-password --insecure

Create a root certificate and key:

$ step certificate create root-ca root-ca.crt root-ca.key --profile root-ca

Create an intermediate certificate and key:

$ step certificate create intermediate-ca intermediate-ca.crt intermediate-ca.key \
  --profile intermediate-ca --ca ./root-ca.crt --ca-key ./root-ca.key

Create a leaf certificate and key:

$ step certificate create foo foo.crt foo.key --profile leaf \
  --ca ./intermediate-ca.crt --ca-key ./intermediate-ca.key

Create a root certificate and key with underlying OKP Ed25519:

$ step certificate create root-ca root-ca.crt root-ca.key --profile root-ca \
  --kty OKP --curve Ed25519

Create an intermeidate certificate and key with underlying EC P-256 key pair:

$ step certificate create intermediate-ca intermediate-ca.crt intermediate-ca.key \
  --profile intermediate-ca --ca ./root-ca.crt --ca-key ./root-ca.key --kty EC --curve P-256

Create a leaf certificate and key with underlying RSA 2048 key pair:

$ step certificate create foo foo.crt foo.key --profile leaf \
  --ca ./intermediate-ca.crt --ca-key ./intermediate-ca.key --kty RSA --size 2048

Create a CSR and key with underlying OKP Ed25519:

$ step certificate create foo foo.csr foo.key --csr --kty OKP --curve Ed25519