smallstep_full_white

step crypto keypair

Name

step crypto keypair -- generate a public / private keypair in PEM format

Usage

step crypto keypair <pub_file> <priv_file>
[--kty=<key-type>] [--curve=<curve>] [--size=<size>]
[--password-file=<file>] [--no-password] [--insecure]

Description

step crypto keypair generates a raw public / private keypair in PEM format. These keys can be used by other operations to sign and encrypt data, and the public key can be bound to an identity in a CSR and signed by a CA to produce a certificate.

Private keys are encrypted using a password. You'll be prompted for this password automatically when the key is used.

Positional arguments

pub_file The path to write the public key.

priv_file The path to write the private key.

Options

--kty=kty The kty to build the certificate upon. If unset, default is EC.

kty is a case-sensitive string and must be one of:

  • EC: Create an elliptic curve keypair

  • OKP: Create an octet key pair (for "Ed25519" curve)

  • RSA: Create an RSA keypair

--size=size The size (in bits) of the key for RSA and oct key types. RSA keys require a minimum key size of 2048 bits. If unset, default is 2048 bits for RSA keys and 128 bits for oct keys.

--crv=curve, --curve=curve The elliptic curve to use for EC and OKP key types. Corresponds to the "crv" JWK parameter. Valid curves are defined in JWA [RFC7518]. If unset, default is P-256 for EC keys and Ed25519 for OKP keys.

curve is a case-sensitive string and must be one of:

  • P-256: NIST P-256 Curve

  • P-384: NIST P-384 Curve

  • P-521: NIST P-521 Curve

  • Ed25519: Ed25519 Curve

--from-jwk=jwk-file Create a PEM representing the key encoded in an existing jwk-file instead of creating a new key.

--password-file=file The path to the file containing the password to encrypt or decrypt the private key.

--no-password Do not ask for a password to encrypt a private key. Sensitive key material will be written to disk unencrypted. This is not recommended. Requires --insecure flag.

--insecure

-f, --force Force the overwrite of files without asking.

Exit codes

This command returns 0 on success and >0 if any error occurs.

Examples

Create an RSA public / private key pair with 4096 bits:

$ step crypto keypair foo.pub foo.key --kty RSA --size 4096

Create an RSA public / private key with fewer than the recommended number of bits (recommended `= 2048 bits):

$ step crypto keypair foo.pub foo.key --kty RSA --size 1024 --insecure

Create an EC public / private key pair with curve P-521:

$ step crypto keypair foo.pub foo.key --kty EC --curve "P-521"

Create an EC public / private key pair but do not encrypt the private key file:

$ step crypto keypair foo.pub foo.key --kty EC --curve "P-256" \
--no-password --insecure

Create an Octet Key Pair with curve Ed25519:

$ step crypto keypair foo.pub foo.key --kty OKP --curve Ed25519