step beta ca provisioner add

Name

step beta ca provisioner add -- add a provisioner

Usage

step beta ca provisioner add <name> --type=JWK [--public-key=<file>]
[--private-key=<file>] [--create] [--password-file=<file>]
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]

step beta ca provisioner add <name> --type=OIDC
[--client-id=<id>] [--client-secret=<secret>]
[--configuration-endpoint=<url>] [--domain=<domain>]
[--admin=<email>]...
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]


step beta ca provisioner add <name> --type=X5C --x5c-root=<file>
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]

step beta ca provisioner add <name> --type=SSHPOP
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]

step beta ca provisioner add <name> --type=Nebula --nebula-root=<file>
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]

step beta ca provisioner add <name> --type=K8SSA [--public-key=<file>]
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]

step beta ca provisioner add <name> --type=[AWS|Azure|GCP]
[--aws-account=<id>] [--gcp-service-account=<name>] [--gcp-project=<name>]
[--azure-tenant=<id>] [--azure-resource-group=<name>]
[--instance-age=<duration>] [--iid-roots=<file>]
[--disable-custom-sans] [--disable-trust-on-first-use]
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]

step beta ca provisioner add <name> --type=ACME [--force-cn] [--require-eab]
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]

step beta ca provisioner add <name> --type=SCEP [--force-cn] [--challenge=<challenge>]
[--capabilities=<capabilities>] [--include-root] [--min-public-key-length=<length>]
[--encryption-algorithm-identifier=<id>] [--admin-cert=<file>] [--admin-key=<file>]
[--admin-provisioner=<string>] [--admin-subject=<string>] [--password-file=<file>]
[--ca-url=<uri>] [--root=<file>] [--context=<name>]

Description

step ca provisioner add adds a provisioner to the CA configuration.

WARNING: The 'beta' prefix is deprecated and will be removed in a future release. Please use 'step ca admin ...' going forwards.

Positional arguments

name The name of the provisioner.

Options

--type=type The type of provisioner to create.

type is a case-insensitive string and must be one of:

  • JWK: Uses an JWK key pair to sign provisioning tokens. (default)

  • OIDC: Uses an OpenID Connect provider to sign provisioning tokens.

  • AWS: Uses Amazon AWS instance identity documents.

  • GCP: Use Google instance identity tokens.

  • Azure: Uses Microsoft Azure identity tokens.

  • ACME: Uses the ACME protocol to create certificates.

  • X5C: Uses an X509 certificate / private key pair to sign provisioning tokens.

  • K8SSA: Uses Kubernetes Service Account tokens.

  • SSHPOP: Uses an SSH certificate / private key pair to sign provisioning tokens.

  • SCEP: Uses the SCEP protocol to create certificates.

  • Nebula: Uses a Nebula certificate / private key pair to sign provisioning tokens.

--x509-template=file The x509 certificate template file, a JSON representation of the certificate to create.

--x509-template-data=file The x509 certificate template data file, a JSON map of data that can be used by the certificate template.

--ssh-template=file The x509 certificate template file, a JSON representation of the certificate to create.

--ssh-template-data=file The ssh certificate template data file, a JSON map of data that can be used by the certificate template.

--x509-min-dur=duration The minimum duration for an x509 certificate generated by this provisioner.

--x509-max-dur=duration The maximum duration for an x509 certificate generated by this provisioner.

--x509-default-dur=duration The default duration for an x509 certificate generated by this provisioner.

--ssh-user-min-dur=duration The minimum duration for an ssh user certificate generated by this provisioner.

--ssh-user-max-dur=duration The maximum duration for an ssh user certificate generated by this provisioner.

--ssh-user-default-dur=duration The maximum duration for an ssh user certificate generated by this provisioner.

--ssh-host-min-dur=duration The minimum duration for an ssh host certificate generated by this provisioner.

--ssh-host-max-dur=duration The maximum duration for an ssh host certificate generated by this provisioner.

--ssh-host-default-dur=duration The maximum duration for an ssh host certificate generated by this provisioner.

--disable-renewal Disable renewal for all certificates generated by this provisioner.

--allow-renewal-after-expiry Allow renewals for expired certificates generated by this provisioner.

--x509 Enable provisioning of x509 certificates.

--ssh Enable provisioning of ssh certificates.

--create Create the JWK key pair for the provisioner.

--private-key=file The file containing the JWK private key.

--public-key=file The file containing the JWK public key. Or, a file containing one or more PEM formatted keys, if used with the K8SSA provisioner.

--client-id=id The id used to validate the audience in an OpenID Connect token.

--client-secret=secret The secret used to obtain the OpenID Connect tokens.

--listen-address=address The callback address used in the OpenID Connect flow (e.g. ":10000")

--configuration-endpoint=url OpenID Connect configuration url.

--admin=email The email of an admin user in an OpenID Connect provisioner, this user will not have restrictions in the certificates to sign. Use the '--admin' flag multiple times to configure multiple administrators.

--group=group The group list used to validate the groups extenstion in an OpenID Connect token. Use the '--group' flag multiple times to configure multiple groups.

--tenant-id=tenant-id The tenant-id used to replace the templatized {tenantid} in the OpenID Configuration.

--x5c-root=file Root certificate (chain) file used to validate the signature on X5C provisioning tokens.

--nebula-root=file Root certificate (chain) file used to validate the signature on Nebula provisioning tokens.

--force-cn Always set the common name in provisioned certificates.

--require-eab Require (and enable) External Account Binding for Account creation.

--challenge=challenge The SCEP challenge to use as a shared secret between a client and the CA

--capabilities=capabilities The SCEP capabilities to advertise

--include-root Include the CA root certificate in the SCEP CA certificate chain

--min-public-key-length=length The minimum public key length of the SCEP RSA encryption key

--encryption-algorithm-identifier=id The id for the SCEP encryption algorithm to use. Valid values are 0 - 4, inclusive. The values correspond to: 0: DES-CBC, 1: AES-128-CBC, 2: AES-256-CBC, 3: AES-128-GCM, 4: AES-256-GCM. Defaults to DES-CBC (0) for legacy clients.

--aws-account=id The AWS account id used to validate the identity documents. Use the flag multiple times to configure multiple accounts.

--azure-tenant=id The Microsoft Azure tenant id used to validate the identity tokens.

--azure-resource-group=name The Microsoft Azure resource group name used to validate the identity tokens. Use the flag multiple times to configure multiple resource groups

--azure-subscription-id=id The Microsoft Azure subscription id used to validate the identity tokens. Use the flag multiple times to configure multiple subscription IDs

--azure-object-id=id The Microsoft Azure AD object id used to validate the identity tokens. Use the flag multiple times to configure multiple object IDs

--gcp-service-account=email The Google service account email or id used to validate the identity tokens. Use the flag multiple times to configure multiple service accounts.

--gcp-project=id The Google project id used to validate the identity tokens. Use the flag multiple times to configure multiple projects

--instance-age=duration The maximum duration to grant a certificate in AWS and GCP provisioners. A duration is sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

--iid-roots=file The file containing the certificates used to validate the instance identity documents in AWS.

--disable-custom-sans On cloud provisioners, if enabled only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR.

--disable-trust-on-first-use, --disable-tofu On cloud provisioners, if enabled multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted.

--admin-cert=chain Admin certificate (chain) in PEM format to store in the 'x5c' header of a JWT.

--admin-key=file Private key file, used to sign a JWT, corresponding to the admin certificate that will be stored in the 'x5c' header.

--admin-provisioner=name, --admin-issuer=name The provisioner name to use for generating admin credentials.

--admin-subject=subject, --admin-name=subject The admin subject to use for generating admin credentials.

--password-file=file The path to the file containing the password to encrypt or decrypt the private key.

--ca-url=URI URI of the targeted Step Certificate Authority.

--root=file The path to the PEM file used as the root certificate authority.

--context=name The context name to apply for the given command.

Examples

Create a JWK provisioner with newly generated keys and a template for x509 certificates:

step beta ca provisioner add cicd --type JWK --create --x509-template ./templates/example.tpl

Create a JWK provisioner with duration claims:

step beta ca provisioner add cicd --type JWK --create --x509-min-dur 20m --x509-default-dur 48h --ssh-user-min-dur 17m --ssh-host-default-dur 16h

Create a JWK provisioner with existing keys:

step beta ca provisioner add jane@doe.com --type JWK --public-key jwk.pub --private-key jwk.priv

Create an OIDC provisioner:

step beta ca provisioner add Google --type OIDC --ssh \ --client-id 1087160488420-8qt7bavg3qesdhs6it824mhnfgcfe8il.apps.googleusercontent.com \ --client-secret udTrOT3gzrO7W9fDPgZQLfYJ \ --configuration-endpoint https://accounts.google.com/.well-known/openid-configuration

Create an X5C provisioner:

step beta ca provisioner add x5c --type X5C --x5c-root x5c_ca.crt

Create an ACME provisioner:

step beta ca provisioner add acme --type ACME

Create an ACME provisioner, forcing a CN and requiring EAB:

step beta ca provisioner add acme --type ACME --force-cn --require-eab

Create an K8SSA provisioner:

step beta ca provisioner add kube --type K8SSA --ssh --public-key key.pub

Create an SSHPOP provisioner for renewing SSH host certificates:")

step beta ca provisioner add sshpop --type SSHPOP

Create a SCEP provisioner with 'secret' challenge and AES-256-CBC encryption:

step beta ca provisioner add my_scep_provisioner --type SCEP --challenge secret --encryption-algorithm-identifier 2

Create an Azure provisioner with two resource groups, one subscription ID and one object ID:

$ step beta ca provisioner add Azure --type Azure \ --azure-tenant bc9043e2-b645-4c1c-a87a-78f8644bfe57 \ --azure-resource-group identity --azure-resource-group accounting \ --azure-subscription-id dc760a01-2886-4a84-9abc-f3508e0f87d9 \ --azure-object-id f50926c7-abbf-4c28-87dc-9adc7eaf3ba7

Create an GCP provisioner that will only accept the SANs provided in the identity token:

$ step beta ca provisioner add Google --type GCP \ --disable-custom-sans --gcp-project internal

Create an AWS provisioner that will only accept the SANs provided in the identity document and will allow multiple certificates from the same instance:

$ step beta ca provisioner add Amazon --type AWS \ --aws-account 123456789 --disable-custom-sans --disable-trust-on-first-use

Create an AWS provisioner that will use a custom certificate to validate the instance identity documents:

$ step beta ca provisioner add Amazon --type AWS \ --aws-account 123456789 --iid-roots $(step path)/certs/aws.crt