smallstep_full_white

step ca

Name

step ca -- initialize and manage a certificate authority

Usage

step ca <subcommand> [arguments] [global-flags] [subcommand-flags]

Description

step ca command group provides facilities to initialize a certificate authority, retrieve the root of trust, sign and renew certificates, and create and manage provisioners.

Examples

Create the configuration for a new certificate authority:

$ step ca init

Configure the ca-url and root in the environment:

$ step ca bootstrap \
  --ca-url https://ca.smallstep.com \
  --fingerprint 0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3
$ cat $STEPPATH/config/defaults.json
{
  "ca-url": "https://ca.smallstep.com",
  "fingerprint": "0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3",
  "root": "/home/user/.step/certs/root_ca.crt"
}

Download the root_ca.crt:

$ step ca root root_ca.crt \
  --ca-url https://ca.smallstep.com \
  --fingerprint 0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3

Get the Health status of the CA:

$ step ca health --ca-url https://ca.smallstep.com --root /home/user/.step/certs/root_ca.crt

Create a new certificate using a token:

$ TOKEN=$(step ca token internal.example.com)
$ step ca certificate internal.example.com internal.crt internal.key \
  --token $TOKEN --ca-url https://ca.smallstep.com --root root_ca.crt

Renew a certificate (certificate must still be valid):

$ step ca renew internal.crt internal.key \
  --ca-url https://ca.smallstep.com --root root_ca.crt

Commands

NameUsage
healthget the status of the CA
initinitialize the CA PKI
bootstrapinitialize the environment to use the CA commands
tokengenerate an OTT granting access to the CA
certificategenerate a new private key and certificate signed by the root certificate
rekeyrekey a certificate
renewrenew a certificate
revokerevoke a certificate
provisionercreate and manage the certificate authority provisioners
signgenerate a new certificate from signing a certificate request
rootdownload and validate the root certificate
rootsdownload all the root certificates
federationdownload all the federated certificates
acmemanage ACME settings
policymanage certificate issuance policies
admincreate and manage the certificate authority admins