step beta ca provisioner add
Name
step beta ca provisioner add -- add a provisioner
Usage
step beta ca provisioner add <name> --type=JWK [--public-key=<file>]
[--private-key=<file>] [--create] [--password-file=<file>]
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]
step beta ca provisioner add <name> --type=OIDC
[--client-id=<id>] [--client-secret=<secret>]
[--configuration-endpoint=<url>] [--domain=<domain>]
[--admin=<email>]...
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]
step beta ca provisioner add <name> --type=X5C --x5c-root=<file>
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]
step beta ca provisioner add <name> --type=SSHPOP
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]
step beta ca provisioner add <name> --type=Nebula --nebula-root=<file>
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]
step beta ca provisioner add <name> --type=K8SSA [--public-key=<file>]
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]
step beta ca provisioner add <name> --type=[AWS|Azure|GCP]
[--aws-account=<id>] [--gcp-service-account=<name>] [--gcp-project=<name>]
[--azure-tenant=<id>] [--azure-resource-group=<name>]
[--instance-age=<duration>] [--iid-roots=<file>]
[--disable-custom-sans] [--disable-trust-on-first-use]
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]
step beta ca provisioner add <name> --type=ACME [--force-cn] [--require-eab]
[--admin-cert=<file>] [--admin-key=<file>] [--admin-provisioner=<name>]
[--admin-subject=<subject>] [--password-file=<file>] [--ca-url=<uri>]
[--root=<file>] [--context=<name>]
step beta ca provisioner add <name> --type=SCEP [--force-cn] [--challenge=<challenge>]
[--capabilities=<capabilities>] [--include-root] [--min-public-key-length=<length>]
[--encryption-algorithm-identifier=<id>] [--admin-cert=<file>] [--admin-key=<file>]
[--admin-provisioner=<string>] [--admin-subject=<string>] [--password-file=<file>]
[--ca-url=<uri>] [--root=<file>] [--context=<name>]
Description
step ca provisioner add adds a provisioner to the CA configuration.
WARNING: The 'beta' prefix is deprecated and will be removed in a future release. Please use 'step ca admin ...' going forwards.
Positional arguments
name
The name of the provisioner.
Options
--type=type
The type
of provisioner to create.
type
is a case-insensitive string and must be one of:
-
JWK: Uses an JWK key pair to sign provisioning tokens. (default)
-
OIDC: Uses an OpenID Connect provider to sign provisioning tokens.
-
AWS: Uses Amazon AWS instance identity documents.
-
GCP: Use Google instance identity tokens.
-
Azure: Uses Microsoft Azure identity tokens.
-
ACME: Uses the ACME protocol to create certificates.
-
X5C: Uses an X509 certificate / private key pair to sign provisioning tokens.
-
K8SSA: Uses Kubernetes Service Account tokens.
-
SSHPOP: Uses an SSH certificate / private key pair to sign provisioning tokens.
-
SCEP: Uses the SCEP protocol to create certificates.
-
Nebula: Uses a Nebula certificate / private key pair to sign provisioning tokens.
--x509-template=file
The x509 certificate template file
, a JSON representation of the certificate to create.
--x509-template-data=file
The x509 certificate template data file
, a JSON map of data that can be used by the certificate template.
--ssh-template=file
The x509 certificate template file
, a JSON representation of the certificate to create.
--ssh-template-data=file
The ssh certificate template data file
, a JSON map of data that can be used by the certificate template.
--x509-min-dur=duration
The minimum duration
for an x509 certificate generated by this provisioner.
--x509-max-dur=duration
The maximum duration
for an x509 certificate generated by this provisioner.
--x509-default-dur=duration
The default duration
for an x509 certificate generated by this provisioner.
--ssh-user-min-dur=duration
The minimum duration
for an ssh user certificate generated by this provisioner.
--ssh-user-max-dur=duration
The maximum duration
for an ssh user certificate generated by this provisioner.
--ssh-user-default-dur=duration
The maximum duration
for an ssh user certificate generated by this provisioner.
--ssh-host-min-dur=duration
The minimum duration
for an ssh host certificate generated by this provisioner.
--ssh-host-max-dur=duration
The maximum duration
for an ssh host certificate generated by this provisioner.
--ssh-host-default-dur=duration
The maximum duration
for an ssh host certificate generated by this provisioner.
--disable-renewal Disable renewal for all certificates generated by this provisioner.
--allow-renewal-after-expiry Allow renewals for expired certificates generated by this provisioner.
--x509 Enable provisioning of x509 certificates.
--ssh Enable provisioning of ssh certificates.
--create Create the JWK key pair for the provisioner.
--private-key=file
The file
containing the JWK private key.
--public-key=file
The file
containing the JWK public key. Or, a file
containing one or more PEM formatted keys, if used with the K8SSA provisioner.
--client-id=id
The id
used to validate the audience in an OpenID Connect token.
--client-secret=secret
The secret
used to obtain the OpenID Connect tokens.
--listen-address=address
The callback address
used in the OpenID Connect flow (e.g. ":10000")
--configuration-endpoint=url
OpenID Connect configuration url
.
--admin=email
The email
of an admin user in an OpenID Connect provisioner, this user
will not have restrictions in the certificates to sign. Use the
'--admin' flag multiple times to configure multiple administrators.
--group=group
The group
list used to validate the groups extenstion in an OpenID Connect token.
Use the '--group' flag multiple times to configure multiple groups.
--tenant-id=tenant-id
The tenant-id
used to replace the templatized {tenantid} in the OpenID Configuration.
--x5c-root=file
Root certificate (chain) file
used to validate the signature on X5C
provisioning tokens.
--nebula-root=file
Root certificate (chain) file
used to validate the signature on Nebula
provisioning tokens.
--force-cn Always set the common name in provisioned certificates.
--require-eab Require (and enable) External Account Binding for Account creation.
--challenge=challenge
The SCEP challenge
to use as a shared secret between a client and the CA
--capabilities=capabilities
The SCEP capabilities
to advertise
--include-root Include the CA root certificate in the SCEP CA certificate chain
--min-public-key-length=length
The minimum public key length
of the SCEP RSA encryption key
--encryption-algorithm-identifier=id
The id
for the SCEP encryption algorithm to use.
Valid values are 0 - 4, inclusive. The values correspond to:
0: DES-CBC,
1: AES-128-CBC,
2: AES-256-CBC,
3: AES-128-GCM,
4: AES-256-GCM.
Defaults to DES-CBC (0) for legacy clients.
--aws-account=id
The AWS account id
used to validate the identity documents.
Use the flag multiple times to configure multiple accounts.
--azure-tenant=id
The Microsoft Azure tenant id
used to validate the identity tokens.
--azure-resource-group=name
The Microsoft Azure resource group name
used to validate the identity tokens.
Use the flag multiple times to configure multiple resource groups
--azure-subscription-id=id
The Microsoft Azure subscription id
used to validate the identity tokens.
Use the flag multiple times to configure multiple subscription IDs
--azure-object-id=id
The Microsoft Azure AD object id
used to validate the identity tokens.
Use the flag multiple times to configure multiple object IDs
--gcp-service-account=email
The Google service account email
or id
used to validate the identity tokens.
Use the flag multiple times to configure multiple service accounts.
--gcp-project=id
The Google project id
used to validate the identity tokens.
Use the flag multiple times to configure multiple projects
--instance-age=duration
The maximum duration
to grant a certificate in AWS and GCP provisioners.
A duration
is sequence of decimal numbers, each with optional fraction and a
unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
"us" (or "µs"), "ms", "s", "m", "h".
--iid-roots=file
The file
containing the certificates used to validate the
instance identity documents in AWS.
--disable-custom-sans On cloud provisioners, if enabled only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR.
--disable-trust-on-first-use, --disable-tofu On cloud provisioners, if enabled multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted.
--admin-cert=chain
Admin certificate (chain
) in PEM format to store in the 'x5c' header of a JWT.
--admin-key=file
Private key file
, used to sign a JWT, corresponding to the admin certificate that will
be stored in the 'x5c' header.
--admin-provisioner=name
, --admin-issuer=name
The provisioner name
to use for generating admin credentials.
--admin-subject=subject
, --admin-name=subject
The admin subject
to use for generating admin credentials.
--password-file=file
The path to the file
containing the password to encrypt or decrypt the private key.
--ca-url=URI
URI
of the targeted Step Certificate Authority.
--root=file
The path to the PEM file
used as the root certificate authority.
--context=name
The context name
to apply for the given command.
Examples
Create a JWK provisioner with newly generated keys and a template for x509 certificates:
step beta ca provisioner add cicd --type JWK --create --x509-template ./templates/example.tpl
Create a JWK provisioner with duration claims:
step beta ca provisioner add cicd --type JWK --create --x509-min-dur 20m --x509-default-dur 48h --ssh-user-min-dur 17m --ssh-host-default-dur 16h
Create a JWK provisioner with existing keys:
step beta ca provisioner add jane@doe.com --type JWK --public-key jwk.pub --private-key jwk.priv
Create an OIDC provisioner:
step beta ca provisioner add Google --type OIDC --ssh \
--client-id 1087160488420-8qt7bavg3qesdhs6it824mhnfgcfe8il.apps.googleusercontent.com \
--client-secret udTrOT3gzrO7W9fDPgZQLfYJ \
--configuration-endpoint https://accounts.google.com/.well-known/openid-configuration
Create an X5C provisioner:
step beta ca provisioner add x5c --type X5C --x5c-root x5c_ca.crt
Create an ACME provisioner:
step beta ca provisioner add acme --type ACME
Create an ACME provisioner, forcing a CN and requiring EAB:
step beta ca provisioner add acme --type ACME --force-cn --require-eab
Create an K8SSA provisioner:
step beta ca provisioner add kube --type K8SSA --ssh --public-key key.pub
Create an SSHPOP provisioner for renewing SSH host certificates:")
step beta ca provisioner add sshpop --type SSHPOP
Create a SCEP provisioner with 'secret' challenge and AES-256-CBC encryption:
step beta ca provisioner add my_scep_provisioner --type SCEP --challenge secret --encryption-algorithm-identifier 2
Create an Azure provisioner with two resource groups, one subscription ID and one object ID:
$ step beta ca provisioner add Azure --type Azure \
--azure-tenant bc9043e2-b645-4c1c-a87a-78f8644bfe57 \
--azure-resource-group identity --azure-resource-group accounting \
--azure-subscription-id dc760a01-2886-4a84-9abc-f3508e0f87d9 \
--azure-object-id f50926c7-abbf-4c28-87dc-9adc7eaf3ba7
Create an GCP provisioner that will only accept the SANs provided in the identity token:
$ step beta ca provisioner add Google --type GCP \
--disable-custom-sans --gcp-project internal
Create an AWS provisioner that will only accept the SANs provided in the identity document and will allow multiple certificates from the same instance:
$ step beta ca provisioner add Amazon --type AWS \
--aws-account 123456789 --disable-custom-sans --disable-trust-on-first-use
Create an AWS provisioner that will use a custom certificate to validate the instance identity documents:
$ step beta ca provisioner add Amazon --type AWS \
--aws-account 123456789 --iid-roots $(step path)/certs/aws.crt