NAME

step ssh rekey – rekey a SSH certificate using the SSH CA

USAGE

step ssh rekey ssh-cert ssh-key [–out=file] [–issuer=name] [–password-file=path] [–force] [–ca-url=uri] [–root=path] [–offline] [–ca-config=path]

DESCRIPTION

step ssh rerekey command generates a new SSH Certificate and key using an existing SSH Cerfificate and key pair to authenticate and templatize the request. It writes the new certificate to disk - either overwriting ssh-cert or using new files when the –out=file flag is used.

POSITIONAL ARGUMENTS

ssh-cert
The ssh certificate to renew.
ssh-key
The ssh certificate private key.

OPTIONS

–out=file
The new key file path. Defaults to overwriting the ssh-cert positional argument.
–provisioner=name, –issuer=name
The provisioner name to use.
–provisioner-password-file=file
The path to the file containing the password to decrypt the one-time token generating key.
–no-password
Do not ask for a password to encrypt a private key. Sensitive key material will be written to disk unencrypted. This is not recommended. Requires –insecure flag.
–insecure
-f, –force
Force the overwrite of files without asking.
–ca-url=URI
URI of the targeted Step Certificate Authority.
–root=file
The path to the PEM file used as the root certificate authority.
–offline
Creates a certificate without contacting the certificate authority. Offline mode uses the configuration, certificates, and keys created with step ca init, but can accept a different configuration file using ‘–ca-config`’ flag.
–ca-config=path
The path to the certificate authority configuration file. Defaults to $STEPPATH/config/ca.json
–sshpop-cert=chain
Certificate (chain) in PEM format to store in the ‘sshpop’ header of a JWT.
–sshpop-key=path
Private key path, used to sign a JWT, corresponding to the certificate that will be stored in the ‘sshpop’ header.

EXAMPLES

Rekey an ssh certificate:

$ step ssh rekey id_ecdsa-cert.pub id_ecdsa

Rekey an ssh certificate creating id2_ecdsa, id2_ecdsa.pub, and id2_ecdsa-cert.pub:

$ step ssh rekey --out id2_ecdsa id_ecdsa-cert.pub id_ecdsa