step-ca

Private certificate authority server

TLDR

Initialize new CA

$ step ca init

Start the CA server

$ step-ca [$(step path)/config/ca.json]

Request a certificate

$ step ca certificate [hostname] [host.crt] [host.key]

Renew a certificate

$ step ca renew [host.crt] [host.key]

Revoke a certificate

$ step ca revoke [host.crt]

Add a provisioner

$ step ca provisioner add [name] --type [OIDC] --client-id [id] --configuration-endpoint [url]

Get CA health

$ step ca health

Get root certificate

$ step ca root

SYNOPSIS

step-ca [config] [options]
step ca command [options]

step-ca is a private certificate authority server. Combined with step ca client commands, it provides automated certificate lifecycle management.
step ca init creates PKI structure with root and intermediate CAs. The resulting configuration defines provisioners, certificate templates, and policies.
Provisioners authenticate certificate requests. Types include ACME, OIDC, JWK, X5C, and SSHPOP. Each provisioner has specific authentication requirements and certificate constraints.
step ca certificate requests certificates using configured provisioners. ACME provisioner enables Let's Encrypt-style automation. Certificates include specified SANs.
Renewal with step ca renew extends certificate lifetime. Pair with step-renewer daemon for automatic renewal. Revocation invalidates certificates before expiration.
step-ca supports ACME protocol, enabling integration with certbot and other ACME clients for automated certificate issuance.

CONFIGURATION

$(step path)/config/ca.json

Main CA server configuration defining address, database, TLS settings, and authority parameters.

$(step path)/config/defaults.json

Default client settings including CA URL and fingerprint.

$(step path)/certs/

Directory containing root and intermediate CA certificates.

$(step path)/secrets/

Directory containing CA private keys (root and intermediate).

STEP-CA OPTIONS

--password-file path

Password file for CA key.

--issuer-password-file path

Password for issuer key.

--resolver address

DNS resolver address.

--pidfile path

PID file path.

STEP CA COMMANDS

init

Initialize a new PKI and CA configuration.

certificate name crt key

Request a new certificate.

renew crt key

Renew a certificate.

revoke [serial|crt]

Revoke a certificate.

sign csr crt

Sign a certificate signing request.

provisioner add|remove|update|list

Manage provisioners.

root

Download root certificate.

health

Check CA health.

token subject

Generate authentication token.

bootstrap

Configure client to trust CA.

CERTIFICATE OPTIONS

--san name

Subject Alternative Name (repeatable).

--not-after time

Expiration time or duration.

--provisioner name

Provisioner to use.

--kty type

Key type: EC, RSA, OKP.

--size bits

Key size.

--force

Overwrite existing files.

CAVEATS

Root key security is critical—compromise enables issuing arbitrary certificates. ACME requires proper DNS or HTTP challenge configuration. Certificate templates require understanding of X.509. Production deployments need proper backup and HSM consideration.

HISTORY

step-ca was created by Smallstep and released in 2018 as part of their open-source PKI toolkit. It was designed to bring modern certificate management to internal infrastructure. The project enables zero-trust security through automated certificate issuance. Smallstep offers commercial products built on the open-source foundation.