Install step-ca
Learn how to to install the step-ca binary on your local machine.
Building from source?
Check out our guide to getting started with development.
To install step and step-ca together via Homebrew, run:
brew install step
We publish a Winget
package for Smallstep.step-ca.
To install both step-ca.exe and step.exe, run:
winget install Smallstep.step-ca
After installing, you may need to restart your terminal for step-ca to appear in your path.
To uninstall, run winget uninstall, then remove the configuration directory $HOME/.step.
We also publish a Scoop package:
scoop bucket add smallstep https://github.com/smallstep/scoop-bucket.git
scoop install smallstep/step
scoop install smallstep/step-ca
To uninstall, run scoop uninstall, then remove the configuration directory $HOME/.step.
Install both step-ca and the step CLI tool.
The step CLI tool is the easiest way to
initialize, configure, and control step-ca.
While step is not required to run step-ca, we recommend installing it.
To add Smallstep as a source and install the step-cli and step-ca packages on Debian or Ubuntu distributions, run the following as root:
apt-get update && apt-get install -y --no-install-recommends curl vim gpg ca-certificates
curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg -o /etc/apt/trusted.gpg.d/smallstep.asc && \
echo 'deb [signed-by=/etc/apt/trusted.gpg.d/smallstep.asc] https://packages.smallstep.com/stable/debian debs main' \
| tee /etc/apt/sources.list.d/smallstep.list
apt-get update && apt-get -y install step-cli step-ca
Alternatively, to manually install a .deb for step-cli and step-ca, find the packages you need for your platform on our GitHub release pages for smallstep/cli (step-cli) and smallstep/certificates (step-ca).
To configure step-ca as a daemon, see our systemd configuration guide.
To uninstall, run dpkg -r step-cli step-ca, then remove the configuration directory $HOME/.step.
To add Smallstep as a source and install the step-cli and step-ca packages on RHEL or Fedora distributions, run the following as root:
cat <<EOT > /etc/yum.repos.d/smallstep.repo
[smallstep]
name=Smallstep
baseurl=https://packages.smallstep.com/stable/fedora/
enabled=1
repo_gpgcheck=0
gpgcheck=1
gpgkey=https://packages.smallstep.com/keys/smallstep-0x889B19391F774443.gpg
EOT
dnf makecache && dnf install -y step-cli step-ca
Alternatively, to manually install an .rpm for step-cli and step-ca, find the packages you need for your platform on our GitHub release pages for smallstep/cli (step-cli) and smallstep/certificates (step-ca).
To configure step-ca as a daemon, see our systemd configuration guide.
To uninstall, run dnf remove step-cli step-ca, then remove the configuration directory $HOME/.step.
These packages are maintained by trusted Arch Linux community members.
To install with pacman, run:
pacman -S step-cli step-ca
The binary tarballs can be found here:
To uninstall, run pacman -R step-ca step-cli, then remove the configuration directory $HOME/.step.
Big shout out to the maintainers of these packages! We appreciate you.
There are community-maintained Alpine Linux Packages for step and step-ca.
To install step with apk, run:
apk add step-cli step-certificates
The binary tarballs can be found here:
To uninstall, run apk del step-cli step-certificates, then remove the configuration directory $HOME/.step .
Big shout out to the maintainers of these packages! We appreciate you.
There are community-maintained packages for NixOS:
There are community-maintained packages for FreeBSD:
To install both packages in a FreeBSD jail, follow the steps in this installation transcript.
Big shout out to the maintainers of these packages! We appreciate you.
Wolfi has a maintained step-ca package.
Use apk to install step-ca:
apk add step-ca
To uninstall, run apk del step-ca and remove the $HOME/.step configuration directory.
We distribute pre-compiled binaries for amd64, arm64, armv6, armv7, mips, mips64, ppc64le, and 386.
For more, see our latest release page.
We use cosign to sign and verify release artifacts. For more: Binary Signatures.
To download and install the step and step-ca binaries on an amd64 machine:
-
Install
step.Download and install the Linux tarball from our latest release:
curl -LO https://dl.smallstep.com/cli/docs-ca-install/latest/step_linux_amd64.tar.gz tar -xf step_linux_amd64.tar.gz sudo cp step_linux_amd64/bin/step /usr/bin
-
Install
step-ca.Download and install the Linux tarball from our latest release:
curl -L https://dl.smallstep.com/certificates/docs-ca-install/latest/step-ca_linux_amd64.tar.gz tar -xf step-ca_linux_amd64.tar.gz sudo cp step-ca_linux_amd64/step-ca /usr/bin
To configure step-ca as a daemon, see our systemd configuration guide.
We use cosign to sign and verify release artifacts.
To verify the signature of the step-ca binary:
-
Download the binary signature (
.sig) and certificate (.pem) files from the Assets section of our GitHub Releases page. -
Run:
cosign verify-blob \ --certificate step-ca_linux_amd64.tar.gz.pem \ --signature step-ca_linux_amd64.tar.gz.sig \ --certificate-identity-regexp "https://github\.com/smallstep/workflows/.*" \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ step-ca_linux_amd64.tar.gz
We publish Helm charts for easy installation on Kubernetes:
helm repo add smallstep https://smallstep.github.io/helm-charts/
helm repo update
helm install step-certificates smallstep/step-certificates
You can see all the configuration options at https://hub.helm.sh/charts/smallstep/step-certificates.
Autocert
If you're using Kubernetes, make sure you check out autocert, a
Kubernetes add-on that builds on step-ca to automatically inject
TLS/HTTPS certificates into your containers.
We publish docker images for easy container installation.
$ step version
Smallstep CLI/0.10.0 (darwin/amd64)
Release Date: 2019-04-30 19:01 UTC
$ step-ca version
Smallstep CA/0.10.0 (darwin/amd64)
Release Date: 2019-04-30 19:02 UTC
- Learn about the core concepts and design principles behind
step-ca. - Read the Getting Started guide to set up a CA and get your first certificate.
Last updated on April 8, 2025
Introducing
Device Identity
Ensure that only company-owned devices can access your enterprise's most sensitive resources.
