You don't need to run an online Certificate Authority to create certificates and perform basic crypto operations using the step CLI tool. This document gives some examples of things you can do with the step command by itself.
Let's take a look at the step certificate command group.
The step certificates command group is a Swiss Army knife for working with certificates.
You can use it to create certificate signing requests (CSRs),
create self-signed certificates (e.g., a root certificate authority),
create leaf or intermediate CA certificates,
validate and inspect certificates,
generate certificate bundles,
and to key-wrap private keys.
step is a full-fledged ACME client (the protocol used by Let's Encrypt. Unlike other ACME clients, step connects to a configured step-ca daemon by default. To use it with Let's Encrypt or another ACME server instead, you can pass an --acme endpoint:
step ca certificate example.com example.com.crt example.com.key \
This command will:
Request a SSL certificate from Let's Encrypt and receive a challenge token in response
Wait for Let's Encrypt to hit the HTTP server and issue a certificate
Save the certificate and private key to example.com.crt and example.com.key
If you don't want step to run a standalone server to respond to the ACME challenge, you can pass --webroot <path> to specify a path where step will place the .well-known/acme-challenge/<TOKEN> token file.
For a dry run, you can use Let's Encrypt's staging server URL: https://acme-staging-v02.api.letsencrypt.org/directory
Generate JSON Web Tokens (JWTs) and JSON Web Keys (JWKs)
The following command groups work with JOSE objects like JWTs and JWEs:
step crypto jwt
step crypto jwk
step crypto jwe
step crypto jws
step crypto jose
In this example, you'll create a JSON Web Key (JWK), add the public key to a keyset, and sign a JSON Web Token (JWT) that expires in 15 minutes: