step crypto keypair

NAME

step crypto keypair – generate a public / private keypair in PEM format

USAGE

step crypto keypair pub_file priv_file [–curve=curve] [–no-password] [–size=size] [–kty=key-type]

DESCRIPTION

step crypto keypair generates a raw public / private keypair in PEM format. These keys can be used by other operations to sign and encrypt data, and the public key can be bound to an identity in a CSR and signed by a CA to produce a certificate.

Private keys are encrypted using a password. You’ll be prompted for this password automatically when the key is used.

POSITIONAL ARGUMENTS

pub_file
The path to write the public key.
priv_file
The path to write the private key.

OPTIONS

–kty=kty
The kty (key type) to create. If unset, default is EC.

kty is a case-sensitive string and must be one of:

EC
Create an elliptic curve keypair
OKP
Create an octet key pair (for “Ed25519” curve)
RSA
Create an RSA keypair
–size=size
The size (in bits) of the key for RSA and oct key types. RSA keys require a minimum key size of 2048 bits. If unset, default is 2048 bits for RSA keys and 128 bits for oct keys.
–crv=curve, –curve=curve
The elliptic curve to use for EC and OKP key types. Corresponds to the “crv” JWK parameter. Valid curves are defined in JWA [RFC7518]. If unset, default is P-256 for EC keys and Ed25519 for OKP keys.

curve is a case-sensitive string and must be one of:

P-256
NIST P-256 Curve
P-384
NIST P-384 Curve
P-521
NIST P-521 Curve
Ed25519
Ed25519 Curve
–from-jwk=jwk-file
Create a PEM representing the key encoded in an existing jwk-file instead of creating a new key.
–no-password=value
Do not ask for a password to encrypt the private key. Sensitive key material will be written to disk unencrypted. This is not recommended. Requires –insecure flag.
-f=value, –force=value
Force the overwrite of files without asking.

EXIT CODES

This command returns 0 on success and >0 if any error occurs.

EXAMPLES

Create an RSA public / private key pair with 4096 bits:

$ step crypto keypair foo.pub foo.key --kty RSA --size 4096

Create an RSA public / private key with fewer than the recommended number of bits (recommended `= 2048 bits):

$ step crypto keypair foo.pub foo.key --kty RSA --size 1024 --insecure

Create an EC public / private key pair with curve P-521:

$ step crypto keypair foo.pub foo.key --kty EC --curve "P-521"

Create an EC public / private key pair but do not encrypt the private key file:

$ step crypto keypair foo.pub foo.key --kty EC --curve "P-256" \
--no-password --insecure

Create an Octet Key Pair with curve Ed25519:

$ step crypto keypair foo.pub foo.key --kty OKP --curve Ed25519