step ssh renew – renew a SSH certificate using the SSH CA


step ssh renew ssh-cert ssh-key [–out=file] [–issuer=name] [–password-file=path] [–force] [–ca-url=uri] [–root=path] [–offline] [–ca-config=path]


step ssh renew command renews an SSH Cerfificate using step certificates. It writes the new certificate to disk - either overwriting ssh-cert or using a new file when the –out=file flag is used.


The ssh certificate to renew.
The ssh certificate private key.


–out=file, –output-file=file
The new certificate file path. Defaults to overwriting the ssh-cert positional argument
–provisioner=name, –issuer=name
The provisioner name to use.
The path to the file containing the password to decrypt the one-time token generating key.
-f, –force
Force the overwrite of files without asking.
URI of the targeted Step Certificate Authority.
The path to the PEM file used as the root certificate authority.
Creates a certificate without contacting the certificate authority. Offline mode uses the configuration, certificates, and keys created with step ca init, but can accept a different configuration file using ‘–ca-config`’ flag.
The path to the certificate authority configuration file. Defaults to $STEPPATH/config/ca.json
Certificate (chain) in PEM format to store in the ‘sshpop’ header of a JWT.
Private key path, used to sign a JWT, corresponding to the certificate that will be stored in the ‘sshpop’ header.


Renew an ssh certificate overwriting the previous one:

$ step ssh renew -f id_ecdsa

Renew an ssh certificate with a custom out file:

$ step ssh renew -out id_ecdsa