step

Create CA

$ step ca init

$ step ca certificate [hostname] [cert.pem] [key.pem]

$ step certificate inspect [cert.pem]

$ step certificate create --csr [hostname] [csr.pem] [key.pem]

$ step certificate verify [cert.pem] --roots [ca.pem]

$ step certificate fingerprint [ca.pem]

$ step ca bootstrap --ca-url [https://ca:9000] --fingerprint [fingerprint]

step command [subcommand] [options]

step is a comprehensive command-line toolkit for working with certificates, keys, and cryptographic operations. It serves as both a standalone utility for inspecting and creating certificates and as the client interface for the step-ca private certificate authority server.
The tool provides subcommands for the full certificate lifecycle: creating certificate signing requests, requesting signed certificates from a CA, inspecting certificate details, verifying certificate chains, and managing SSH certificates. It supports modern cryptographic standards including ECDSA, EdDSA, and RSA keys, and can work with ACME protocol for automated certificate issuance.
When paired with a step-ca server, step enables automated PKI workflows including bootstrapping client trust, requesting short-lived certificates, and managing provisioners for different authentication methods such as OIDC, JWK, and ACME. It also supports SSH certificate management as an alternative to traditional long-lived SSH keys.

ca

Certificate authority commands.

Certificate operations.

Cryptographic operations.

SSH certificate commands.

OAuth operations.

CA server URL.

CA fingerprint.

~/.step/

Default step path containing CA configuration, certificates, and keys.

Default settings including CA URL, fingerprint, and provisioner.

Environment variable to override the default step configuration directory.

CA setup requires planning. Certificate lifetimes matter. Key security essential.

step and step-ca were created by Smallstep for modern PKI. They simplify certificate management for developers and DevOps.

openssl(1), cfssl(1), certbot(1)