LinuxCommandLibrary

step

Execute one debugger instruction

TLDR

Inspect the contents of a certificate

$ step certificate inspect [path/to/certificate.crt]
copy

Create a root CA certificate and a key (append --no-password --insecure to skip private key password protection)
$ step certificate create "[Example Root CA]" [path/to/root-ca.crt] [path/to/root-ca.key] --profile root-ca
copy

Generate a certificate for a specific hostname and sign it with the root CA (generating a CSR can be skipped for simplification)
$ step certificate create [hostname.example.com] [path/to/hostname.crt] [path/to/hostname.key] --profile leaf --ca [path/to/root-ca.crt] --ca-key [path/to/root-ca.key]
copy

Verify a certificate chain
$ step certificate verify [path/to/hostname.crt] --roots [path/to/root-ca.crt] --verbose
copy

Convert a PEM format certificate to DER and write it to disk
$ step certificate format [path/to/certificate.pem] --out [path/to/certificate.der]
copy

Install or uninstall a root certificate in the system's default trust store
$ step certificate [install|uninstall] [path/to/root-ca.crt]
copy

Create a RSA/EC private and public keypair (append --no-password --insecure to skip private key password protection)
$ step crypto keypair [path/to/public_key] [path/to/private_key] --kty [RSA|EC]
copy

Display help for subcommands
$ step [path|base64|certificate|completion|context|crl|crypto|oauth|ca|beta|ssh] --help
copy

SYNOPSIS

step <subcommand> [options] [arguments]

Common Subcommands:
step ca: Manage Certificate Authorities (CAs).
step certificate: Create, manage, and inspect certificates.
step acme: Manage ACME challenges and orders.
step crypto: Perform cryptographic operations.
step keygen: Generate cryptographic keys.

PARAMETERS

-h, --help
    Show help for the `step` command or a specific subcommand.

-p, --profile <name>
    Specify the configuration profile to use, overriding the default.

--home <path>
    Specify the directory for `step` configuration files and data. Defaults to `~/.step`.

--config <path>
    Specify the path to a custom configuration file for `step`.

-v, --version
    Print the `step` command version.

DESCRIPTION

The `step` command is the powerful command-line interface (CLI) tool from Smallstep, designed for simplified Public Key Infrastructure (PKI) management, certificate issuance, and ACME (Automatic Certificate Management Environment) operations. It enables users to easily manage Certificate Authorities (CAs), create and sign X.509 certificates and SSH certificates, and automate certificate lifecycles. `step` is widely used by developers and operations teams to secure microservices with mutual TLS (mTLS), manage internal PKIs, and provision identities, streamlining complex cryptographic tasks into user-friendly commands. Its modular design allows for flexible integration into various environments, making it an essential tool for modern cloud-native security.

CAVEATS

The `step` command deals with sensitive cryptographic material, including private keys and certificates. Mishandling or misconfiguration can lead to severe security vulnerabilities, including unauthorized access, impersonation, or compromise of your infrastructure. Always ensure proper key protection, secure storage, and follow best practices for PKI management. Regular auditing of certificate issuance and revocation is crucial. Understand the implications of certificate lifetimes and renewal processes to prevent service outages due to expired certificates.

KEY SUBCOMMANDS OVERVIEW

While the `step` command itself has global options, its true power lies in its extensive set of subcommands, each dedicated to specific PKI or cryptographic tasks. For instance, step ca manages Certificate Authorities, step certificate handles individual certificate operations (creating, signing, inspecting), step acme integrates with ACME servers for automated certificate provisioning, and step ssh manages SSH host and user certificates. Users typically interact with `step` by invoking a subcommand followed by its specific options and arguments.

COMMON USE CASES

`step` is versatile for various security needs:
1. Internal PKI Management: Setting up and managing a private CA for internal services.
2. mTLS for Microservices: Issuing and deploying mutual TLS certificates to secure inter-service communication.
3. Automated Certificate Provisioning: Integrating with ACME for publicly trusted certificates or automating internal certificate issuance with policies.
4. SSH Certificate Management: Centralizing SSH key management and enabling ephemeral SSH access.

HISTORY

The `step` CLI was developed by Smallstep, a company focused on bringing modern, automated PKI solutions to developers and operators. It emerged to address the complexities and traditional friction associated with managing X.509 certificates and internal CAs, especially in dynamic, distributed environments like microservices and cloud infrastructure. Launched to provide a more developer-friendly and scriptable alternative to verbose tools, `step` aims to simplify the entire certificate lifecycle, from CA creation to certificate issuance, revocation, and renewal, promoting best practices like mTLS by default.

SEE ALSO

openssl(1), certbot(1), cfssl(1), vault(1)

Copied to clipboard