NAME

step certificate create – create a certificate or certificate signing request

USAGE

step certificate create subject crt_file key_file [ca=issuer-cert] [ca-key=issuer-key] [–csr] [no-password] [–profile=profile] [–san=SAN] [–bundle] [–kty=type] [–curve=curve] [–size=size]

DESCRIPTION

step certificate create generates a certificate or a certificate signing requests (CSR) that can be signed later using ‘step certificates sign’ (or some other tool) to produce a certificate.

This command creates x.509 certificates for use with TLS.

POSITIONAL ARGUMENTS

subject
The subject of the certificate. Typically this is a hostname for services or an email address for people.
crt_file
File to write CRT or CSR to (PEM format)
key_file
File to write private key to (PEM format)

OPTIONS

–ca=value
The certificate authority used to issue the new certificate (PEM file).
–ca-key=value
The certificate authority private key used to sign the new certificate (PEM file).
–csr
Generate a certificate signing request (CSR) instead of a certificate.
–no-password
Do not ask for a password to encrypt the private key. Sensitive key material will be written to disk unencrypted. This is not recommended. Requires –insecure flag.
–profile=profile

The certificate profile sets various certificate details such as certificate use and expiration. The default profile is ‘leaf’ which is suitable for a client or server using TLS.

profile is a case-sensitive string and must be one of:

leaf

Generate a leaf x.509 certificate suitable for use with TLs.
intermediate-ca
Generate a certificate that can be used to sign additional leaf or intermediate certificates.
root-ca
Generate a new self-signed root certificate suitable for use as a root CA.
self-signed
Generate a new self-signed leaf certificate suitable for use with TLS. This profile requires the –subtle flag because the use of self-signed leaf certificates is discouraged unless absolutely necessary.
–not-before=time|duration

The time|duration set in the NotBefore property of the certificate. If a time is used it is expected to be in RFC 3339 format. If a duration is used, it is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”.

–not-after=time|duration

The time|duration set in the NotAfter property of the certificate. If a time is used it is expected to be in RFC 3339 format. If a duration is used, it is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”.

–san=value

Add DNS or IP Address Subjective Alternative Names (SANs). Use the ‘–san’ flag multiple times to configure multiple SANs.

–bundle

Bundle the new leaf certificate with the signing certificate. This flag requires the –ca flag.

–kty=kty

The kty to build the certificate upon. If unset, default is EC.

kty is a case-sensitive string and must be one of:

EC

Create an elliptic curve keypair
OKP
Create an octet key pair (for “Ed25519” curve)
RSA
Create an RSA keypair
–size=size

The size (in bits) of the key for RSA and oct key types. RSA keys require a minimum key size of 2048 bits. If unset, default is 2048 bits for RSA keys and 128 bits for oct keys.

–crv=curve, –curve=curve

The elliptic curve to use for EC and OKP key types. Corresponds to the “crv” JWK parameter. Valid curves are defined in JWA [RFC7518]. If unset, default is P-256 for EC keys and Ed25519 for OKP keys.

curve is a case-sensitive string and must be one of:

P-256

NIST P-256 Curve
P-384
NIST P-384 Curve
P-521
NIST P-521 Curve
Ed25519
Ed25519 Curve
-f, –force

Force the overwrite of files without asking.

–subtle

EXIT CODES

This command returns 0 on success and >0 if any error occurs.

EXAMPLES

Create a CSR and key:

$ step certificate create foo foo.csr foo.key --csr

Create a CSR and key with custom Subject Alternative Names:

$ step certificate create foo foo.csr foo.key --csr \
  --san inter.smallstep.com --san 1.1.1.1 --san ca.smallstep.com

Create a CSR and key - do not encrypt the key when writing to disk:

$ step certificate create foo foo.csr foo.key --csr --no-password --insecure

Create a root certificate and key:

$ step certificate create root-ca root-ca.crt root-ca.key --profile root-ca

Create an intermediate certificate and key:

$ step certificate create intermediate-ca intermediate-ca.crt intermediate-ca.key \
  --profile intermediate-ca --ca ./root-ca.crt --ca-key ./root-ca.key

Create an intermediate certificate and key with custom Subject Alternative Names:

$ step certificate create intermediate-ca intermediate-ca.crt intermediate-ca.key \
  --profile intermediate-ca --ca ./root-ca.crt --ca-key ./root-ca.key \
  --san inter.smallstep.com --san 1.1.1.1 --san ca.smallstep.com

Create a leaf certificate and key:

$ step certificate create foo foo.crt foo.key --profile leaf \
  --ca ./intermediate-ca.crt --ca-key ./intermediate-ca.key

Create a leaf certificate and key with custom Subject Alternative Names:

$ step certificate create foo foo.crt foo.key --profile leaf \
  --ca ./intermediate-ca.crt --ca-key ./intermediate-ca.key \
  --san inter.smallstep.com --san 1.1.1.1 --san ca.smallstep.com

Create a leaf certificate and key with custom validity:

$ step certificate create foo foo.crt foo.key --profile leaf \
  --ca ./intermediate-ca.crt --ca-key ./intermediate-ca.key \
  --not-before 24h --not-after 2160h

Create a self-signed leaf certificate and key:

$ step certificate create self-signed-leaf.local leaf.crt leaf.key --profile self-signed --subtle

Create a root certificate and key with underlying OKP Ed25519:

$ step certificate create root-ca root-ca.crt root-ca.key --profile root-ca \
  --kty OKP --curve Ed25519

Create an intermeidate certificate and key with underlying EC P-256 key pair:

$ step certificate create intermediate-ca intermediate-ca.crt intermediate-ca.key \
  --profile intermediate-ca --ca ./root-ca.crt --ca-key ./root-ca.key --kty EC --curve P-256

Create a leaf certificate and key with underlying RSA 2048 key pair:

$ step certificate create foo foo.crt foo.key --profile leaf \
  --ca ./intermediate-ca.crt --ca-key ./intermediate-ca.key --kty RSA --size 2048

Create a CSR and key with underlying OKP Ed25519:

$ step certificate create foo foo.csr foo.key --csr --kty OKP --curve Ed25519