├── .ackrc ├── .githooks └── pre-commit ├── .github ├── PULL_REQUEST_TEMPLATE ├── mdl.config.json └── workflows │ ├── link-check.yml │ ├── pr-checks.yml │ └── upload-assets.yml ├── .gitignore ├── CODEOWNERS ├── CONTRIBUTING.md ├── README.mdx ├── certificate-manager ├── README.mdx ├── acme-old.mdx ├── acme │ ├── README.mdx │ ├── how-to-use-acme.mdx │ ├── when-to-use-acme.mdx │ └── why-use-acme.mdx ├── basic-ops.mdx ├── byo-root.mdx ├── core-concepts.mdx ├── custom-certs.mdx ├── getting-started.mdx ├── how-it-works.mdx ├── kubernetes-tls │ ├── README.mdx │ ├── kubernetes-autocert.mdx │ ├── kubernetes-container-tls.mdx │ ├── kubernetes-ingress-tls.mdx │ ├── kubernetes-install.mdx │ └── kubernetes-step-issuer.mdx ├── oidc.mdx └── webhook-events.mdx ├── design-document.mdx ├── graphics ├── 2019-03-19-step-oauth-oidc-curl.png ├── 2019-03-19-step-oauth-oidc.png ├── Aerohive.png ├── Authenticating_to_an_EAP-TLS_network.png ├── Extreme.png ├── Intune_flow_diagram.png ├── Intune_permissions.png ├── Jamf_MDM_Marketecture.png ├── acme.svg ├── advanced-resource-assign.png ├── asus-eaptls.png ├── autocert-arch.png ├── autocert-bootstrap.png ├── aws-account-id.png ├── azure.png ├── cas-deploy.png ├── cas-launch-image.png ├── cas-optional-fields.png ├── cas-required-fields.png ├── cas-three-ways.png ├── cert-icon.svg ├── certificate-manager-icon.svg ├── certificate.svg ├── certificate_manager_ra_mode.png ├── cli.svg ├── cm-hiw-sso.svg ├── code-signing.svg ├── connected-islands.svg ├── customize.svg ├── demo.gif ├── detail-references.svg ├── docs-certificate-manager-logo.png ├── docs-registration-authorities-logo.png ├── docs-ssh-logo.png ├── email_black_24dp.svg ├── enhanced_encryption.svg ├── gcp-kubernetes-configuration-console.png ├── general-provisioner.png ├── getting-started.svg ├── gsuite.png ├── guide.svg ├── hammer-wrench.svg ├── host-tags-example.png ├── host_certificate_flow.png ├── ia-cloud-ra-challenge-client.svg ├── icon-certificate-manager.svg ├── icon-mutual-tls.svg ├── icon-platforms.svg ├── icon-registration-authority.svg ├── icon-registration-autohorities.svg ├── icon-ssh.svg ├── icon-step-ca.svg ├── icon-step-cli.svg ├── icon-tutorials.svg ├── iid-authentication.png ├── iid-provisioner.png ├── imported-access-policy.png ├── jamf_scep.png ├── jamf_webhook.png ├── k8s-step-issuer-diagram.png ├── kubernetes-tls-unfurl.png ├── kubernetes.svg ├── localhost-tls.png ├── logo-icon-white.svg ├── meraki.png ├── oauth-provisioner.png ├── oidc.svg ├── okta.png ├── other-resources.svg ├── other.png ├── passive-revocation.png ├── provisioner-stepCA-graph.png ├── quickstart │ ├── aad-add-nongallery-app.png │ ├── aad-attribute-mapping.png │ ├── aad-create-user-group.png │ ├── aad-group-example.png │ ├── acl-grant-access.png │ ├── acl-host-detail.png │ ├── acl-select-idp-group.png │ ├── azure-consent.png │ ├── azure-onboarding.png │ ├── g-suite-api-clients.png │ ├── host-tags-example.png │ ├── oidc-confirm.png │ ├── oidc-copy-2021.png │ ├── oidc-copy.png │ ├── okta-api-auth.png │ ├── okta-app-add.png │ ├── okta-app-signon.png │ ├── okta-app-tile.png │ ├── okta-enable-api.png │ ├── okta-enable-sync.png │ ├── okta-gid-createupdate.png │ ├── okta-gid-finalmap.png │ ├── okta-gid-gidadd.png │ ├── okta-gid-gidsync.png │ ├── okta-gid-uidadd.png │ ├── okta-gid-uidsync.png │ ├── okta-push-groups.png │ ├── scim-logs.png │ ├── ssh-okta-client-auth-oidc-app.png │ ├── ssh-okta-domain-oidc-app.png │ ├── ssh-okta-new-oidc-app.png │ └── ssh-okta-uri-oidc-app.png ├── scim.png ├── shortcut.png ├── smallstep-docs-unfurl.png ├── ss-platform.svg ├── ssh-hiw-alice1.png ├── ssh-hiw-alice2.png ├── ssh-icon.svg ├── ssh-logo.png ├── ssh-sso-in-browser.png ├── sso-ssh-hero.svg ├── sso.png ├── stepcas-ra-mode.png ├── templates-screenshot.svg ├── tpm-attestation.png ├── troubleshooting.svg ├── tutorial.svg ├── unregister-webhook.png ├── webhook-events-demo.png ├── webhook-logo.svg ├── workload-management-setup.png └── workspace-one-api-panel.png ├── manifest.json ├── mtls └── README.mdx ├── platform ├── README.mdx ├── core-concepts.mdx ├── enrollment-guide.mdx ├── smallstep-agent.mdx ├── smallstep-api.mdx └── smallstep-app.mdx ├── practical-zero-trust └── README.mdx ├── registration-authorities ├── README.mdx ├── acme-for-cas.mdx └── acme-for-certificate-manager.mdx ├── ssh ├── README.mdx ├── acls.mdx ├── azure-ad.mdx ├── client.mdx ├── g-suite.mdx ├── hosts-step-by-step.mdx ├── hosts.mdx ├── how-it-works.mdx ├── okta-gid-uid.mdx └── okta.mdx ├── step-ca ├── README.mdx ├── acme-basics.mdx ├── basic-certificate-authority-operations.mdx ├── certificate-authority-core-concepts.mdx ├── certificate-authority-server-production.mdx ├── configuration.mdx ├── cryptographic-protection.mdx ├── getting-started.mdx ├── installation.mdx ├── integrations.mdx ├── policies.mdx ├── provisioners.mdx ├── registration-authority-ra-mode.mdx ├── renewal.mdx ├── revocation.mdx ├── templates.mdx └── webhooks.mdx ├── step-cli ├── README.mdx ├── basic-crypto-operations.mdx ├── installation.mdx ├── reference │ ├── README.mdx │ ├── api │ │ ├── README.mdx │ │ └── token │ │ │ ├── README.mdx │ │ │ └── create │ │ │ └── README.mdx │ ├── base64 │ │ └── README.mdx │ ├── beta │ │ ├── README.mdx │ │ └── ca │ │ │ ├── README.mdx │ │ │ └── acme │ │ │ ├── README.mdx │ │ │ └── eab │ │ │ ├── README.mdx │ │ │ ├── add │ │ │ └── README.mdx │ │ │ ├── list │ │ │ └── README.mdx │ │ │ └── remove │ │ │ └── README.mdx │ ├── ca │ │ ├── README.mdx │ │ ├── acme │ │ │ ├── README.mdx │ │ │ └── eab │ │ │ │ ├── README.mdx │ │ │ │ ├── add │ │ │ │ └── README.mdx │ │ │ │ ├── list │ │ │ │ └── README.mdx │ │ │ │ └── remove │ │ │ │ └── README.mdx │ │ ├── admin │ │ │ ├── README.mdx │ │ │ ├── add │ │ │ │ └── README.mdx │ │ │ ├── list │ │ │ │ └── README.mdx │ │ │ ├── remove │ │ │ │ └── README.mdx │ │ │ └── update │ │ │ │ └── README.mdx │ │ ├── bootstrap │ │ │ └── README.mdx │ │ ├── certificate │ │ │ └── README.mdx │ │ ├── federation │ │ │ └── README.mdx │ │ ├── health │ │ │ └── README.mdx │ │ ├── init │ │ │ └── README.mdx │ │ ├── policy │ │ │ ├── README.mdx │ │ │ ├── acme │ │ │ │ ├── README.mdx │ │ │ │ ├── remove │ │ │ │ │ └── README.mdx │ │ │ │ ├── view │ │ │ │ │ └── README.mdx │ │ │ │ └── x509 │ │ │ │ │ ├── README.mdx │ │ │ │ │ ├── allow │ │ │ │ │ ├── README.mdx │ │ │ │ │ ├── cn │ │ │ │ │ │ └── README.mdx │ │ │ │ │ ├── dns │ │ │ │ │ │ └── README.mdx │ │ │ │ │ ├── email │ │ │ │ │ │ └── README.mdx │ │ │ │ │ ├── ip │ │ │ │ │ │ └── README.mdx │ │ │ │ │ └── uri │ │ │ │ │ │ └── README.mdx │ │ │ │ │ ├── deny │ │ │ │ │ ├── README.mdx │ │ │ │ │ ├── cn │ │ │ │ │ │ └── README.mdx │ │ │ │ │ ├── dns │ │ │ │ │ │ └── README.mdx │ │ │ │ │ ├── email │ │ │ │ │ │ └── README.mdx │ │ │ │ │ ├── ip │ │ │ │ │ │ └── README.mdx │ │ │ │ │ └── uri │ │ │ │ │ │ └── README.mdx │ │ │ │ │ └── wildcards │ │ │ │ │ ├── README.mdx │ │ │ │ │ ├── allow │ │ │ │ │ └── README.mdx │ │ │ │ │ └── deny │ │ │ │ │ └── README.mdx │ │ │ ├── authority │ │ │ │ ├── README.mdx │ │ │ │ ├── remove │ │ │ │ │ └── README.mdx │ │ │ │ ├── ssh │ │ │ │ │ ├── README.mdx │ │ │ │ │ ├── host │ │ │ │ │ │ ├── README.mdx │ │ │ │ │ │ ├── allow │ │ │ │ │ │ │ ├── README.mdx │ │ │ │ │ │ │ ├── dns │ │ │ │ │ │ │ │ └── README.mdx │ │ │ │ │ │ │ ├── email │ │ │ │ │ │ │ │ └── README.mdx │ │ │ │ │ │ │ └── principal │ │ │ │ │ │ │ │ └── README.mdx │ │ │ │ │ │ └── deny │ │ │ │ │ │ │ ├── README.mdx │ │ │ │ │ │ │ ├── dns │ │ │ │ │ │ │ └── README.mdx │ │ │ │ │ │ │ ├── email │ │ │ │ │ │ │ └── README.mdx │ │ │ │ │ │ │ └── principal │ │ │ │ │ │ │ └── README.mdx │ │ │ │ │ └── user │ │ │ │ │ │ ├── README.mdx │ │ │ │ │ │ ├── allow │ │ │ │ │ │ ├── README.mdx │ │ │ │ │ │ ├── email │ │ │ │ │ │ │ └── README.mdx │ │ │ │ │ │ └── principal │ │ │ │ │ │ │ └── README.mdx │ │ │ │ │ │ └── deny │ │ │ │ │ │ ├── README.mdx │ │ │ │ │ │ ├── email │ │ │ │ │ │ └── README.mdx │ │ │ │ │ │ └── principal │ │ │ │ │ │ └── README.mdx │ │ │ │ ├── view │ │ │ │ │ └── README.mdx │ │ │ │ └── x509 │ │ │ │ │ ├── README.mdx │ │ │ │ │ ├── allow │ │ │ │ │ ├── README.mdx │ │ │ │ │ ├── cn │ │ │ │ │ │ └── README.mdx │ │ │ │ │ ├── dns │ │ │ │ │ │ └── README.mdx │ │ │ │ │ ├── email │ │ │ │ │ │ └── README.mdx │ │ │ │ │ ├── ip │ │ │ │ │ │ └── README.mdx │ │ │ │ │ └── uri │ │ │ │ │ │ └── README.mdx │ │ │ │ │ ├── deny │ │ │ │ │ ├── README.mdx │ │ │ │ │ ├── cn │ │ │ │ │ │ └── README.mdx │ │ │ │ │ ├── dns │ │ │ │ │ │ └── README.mdx │ │ │ │ │ ├── email │ │ │ │ │ │ └── README.mdx │ │ │ │ │ ├── ip │ │ │ │ │ │ └── README.mdx │ │ │ │ │ └── uri │ │ │ │ │ │ └── README.mdx │ │ │ │ │ └── wildcards │ │ │ │ │ ├── README.mdx │ │ │ │ │ ├── allow │ │ │ │ │ └── README.mdx │ │ │ │ │ └── deny │ │ │ │ │ └── README.mdx │ │ │ └── provisioner │ │ │ │ ├── README.mdx │ │ │ │ ├── remove │ │ │ │ └── README.mdx │ │ │ │ ├── ssh │ │ │ │ ├── README.mdx │ │ │ │ ├── host │ │ │ │ │ ├── README.mdx │ │ │ │ │ ├── allow │ │ │ │ │ │ ├── README.mdx │ │ │ │ │ │ ├── dns │ │ │ │ │ │ │ └── README.mdx │ │ │ │ │ │ ├── email │ │ │ │ │ │ │ └── README.mdx │ │ │ │ │ │ └── principal │ │ │ │ │ │ │ └── README.mdx │ │ │ │ │ └── deny │ │ │ │ │ │ ├── README.mdx │ │ │ │ │ │ ├── dns │ │ │ │ │ │ └── README.mdx │ │ │ │ │ │ ├── email │ │ │ │ │ │ └── README.mdx │ │ │ │ │ │ └── principal │ │ │ │ │ │ └── README.mdx │ │ │ │ └── user │ │ │ │ │ ├── README.mdx │ │ │ │ │ ├── allow │ │ │ │ │ ├── README.mdx │ │ │ │ │ ├── email │ │ │ │ │ │ └── README.mdx │ │ │ │ │ └── principal │ │ │ │ │ │ └── README.mdx │ │ │ │ │ └── deny │ │ │ │ │ ├── README.mdx │ │ │ │ │ ├── email │ │ │ │ │ └── README.mdx │ │ │ │ │ └── principal │ │ │ │ │ └── README.mdx │ │ │ │ ├── view │ │ │ │ └── README.mdx │ │ │ │ └── x509 │ │ │ │ ├── README.mdx │ │ │ │ ├── allow │ │ │ │ ├── README.mdx │ │ │ │ ├── cn │ │ │ │ │ └── README.mdx │ │ │ │ ├── dns │ │ │ │ │ └── README.mdx │ │ │ │ ├── email │ │ │ │ │ └── README.mdx │ │ │ │ ├── ip │ │ │ │ │ └── README.mdx │ │ │ │ └── uri │ │ │ │ │ └── README.mdx │ │ │ │ ├── deny │ │ │ │ ├── README.mdx │ │ │ │ ├── cn │ │ │ │ │ └── README.mdx │ │ │ │ ├── dns │ │ │ │ │ └── README.mdx │ │ │ │ ├── email │ │ │ │ │ └── README.mdx │ │ │ │ ├── ip │ │ │ │ │ └── README.mdx │ │ │ │ └── uri │ │ │ │ │ └── README.mdx │ │ │ │ └── wildcards │ │ │ │ ├── README.mdx │ │ │ │ ├── allow │ │ │ │ └── README.mdx │ │ │ │ └── deny │ │ │ │ └── README.mdx │ │ ├── provisioner │ │ │ ├── README.mdx │ │ │ ├── add │ │ │ │ └── README.mdx │ │ │ ├── jwe-key │ │ │ │ └── README.mdx │ │ │ ├── list │ │ │ │ └── README.mdx │ │ │ ├── remove │ │ │ │ └── README.mdx │ │ │ ├── update │ │ │ │ └── README.mdx │ │ │ └── webhook │ │ │ │ ├── README.mdx │ │ │ │ ├── add │ │ │ │ └── README.mdx │ │ │ │ ├── remove │ │ │ │ └── README.mdx │ │ │ │ └── update │ │ │ │ └── README.mdx │ │ ├── rekey │ │ │ └── README.mdx │ │ ├── renew │ │ │ └── README.mdx │ │ ├── revoke │ │ │ └── README.mdx │ │ ├── root │ │ │ └── README.mdx │ │ ├── roots │ │ │ └── README.mdx │ │ ├── sign │ │ │ └── README.mdx │ │ └── token │ │ │ └── README.mdx │ ├── certificate │ │ ├── README.mdx │ │ ├── bundle │ │ │ └── README.mdx │ │ ├── create │ │ │ └── README.mdx │ │ ├── fingerprint │ │ │ └── README.mdx │ │ ├── format │ │ │ └── README.mdx │ │ ├── inspect │ │ │ └── README.mdx │ │ ├── install │ │ │ └── README.mdx │ │ ├── key │ │ │ └── README.mdx │ │ ├── lint │ │ │ └── README.mdx │ │ ├── needs-renewal │ │ │ └── README.mdx │ │ ├── p12 │ │ │ └── README.mdx │ │ ├── sign │ │ │ └── README.mdx │ │ ├── uninstall │ │ │ └── README.mdx │ │ └── verify │ │ │ └── README.mdx │ ├── completion │ │ └── README.mdx │ ├── context │ │ ├── README.mdx │ │ ├── current │ │ │ └── README.mdx │ │ ├── list │ │ │ └── README.mdx │ │ ├── remove │ │ │ └── README.mdx │ │ └── select │ │ │ └── README.mdx │ ├── crl │ │ ├── README.mdx │ │ └── inspect │ │ │ └── README.mdx │ ├── crypto │ │ ├── README.mdx │ │ ├── change-pass │ │ │ └── README.mdx │ │ ├── hash │ │ │ ├── README.mdx │ │ │ ├── compare │ │ │ │ └── README.mdx │ │ │ └── digest │ │ │ │ └── README.mdx │ │ ├── jose │ │ │ ├── README.mdx │ │ │ └── format │ │ │ │ └── README.mdx │ │ ├── jwe │ │ │ ├── README.mdx │ │ │ ├── decrypt │ │ │ │ └── README.mdx │ │ │ └── encrypt │ │ │ │ └── README.mdx │ │ ├── jwk │ │ │ ├── README.mdx │ │ │ ├── create │ │ │ │ └── README.mdx │ │ │ ├── keyset │ │ │ │ ├── README.mdx │ │ │ │ ├── add │ │ │ │ │ └── README.mdx │ │ │ │ ├── find │ │ │ │ │ └── README.mdx │ │ │ │ ├── list │ │ │ │ │ └── README.mdx │ │ │ │ └── remove │ │ │ │ │ └── README.mdx │ │ │ ├── public │ │ │ │ └── README.mdx │ │ │ └── thumbprint │ │ │ │ └── README.mdx │ │ ├── jws │ │ │ ├── README.mdx │ │ │ ├── inspect │ │ │ │ └── README.mdx │ │ │ ├── sign │ │ │ │ └── README.mdx │ │ │ └── verify │ │ │ │ └── README.mdx │ │ ├── jwt │ │ │ ├── README.mdx │ │ │ ├── inspect │ │ │ │ └── README.mdx │ │ │ ├── sign │ │ │ │ └── README.mdx │ │ │ └── verify │ │ │ │ └── README.mdx │ │ ├── kdf │ │ │ ├── README.mdx │ │ │ ├── compare │ │ │ │ └── README.mdx │ │ │ └── hash │ │ │ │ └── README.mdx │ │ ├── key │ │ │ ├── README.mdx │ │ │ ├── fingerprint │ │ │ │ └── README.mdx │ │ │ ├── format │ │ │ │ └── README.mdx │ │ │ ├── inspect │ │ │ │ └── README.mdx │ │ │ ├── public │ │ │ │ └── README.mdx │ │ │ ├── sign │ │ │ │ └── README.mdx │ │ │ └── verify │ │ │ │ └── README.mdx │ │ ├── keypair │ │ │ └── README.mdx │ │ ├── nacl │ │ │ ├── README.mdx │ │ │ ├── auth │ │ │ │ ├── README.mdx │ │ │ │ ├── digest │ │ │ │ │ └── README.mdx │ │ │ │ └── verify │ │ │ │ │ └── README.mdx │ │ │ ├── box │ │ │ │ ├── README.mdx │ │ │ │ ├── keypair │ │ │ │ │ └── README.mdx │ │ │ │ ├── open │ │ │ │ │ └── README.mdx │ │ │ │ └── seal │ │ │ │ │ └── README.mdx │ │ │ ├── secretbox │ │ │ │ ├── README.mdx │ │ │ │ ├── open │ │ │ │ │ └── README.mdx │ │ │ │ └── seal │ │ │ │ │ └── README.mdx │ │ │ └── sign │ │ │ │ ├── README.mdx │ │ │ │ ├── keypair │ │ │ │ └── README.mdx │ │ │ │ ├── open │ │ │ │ └── README.mdx │ │ │ │ └── sign │ │ │ │ └── README.mdx │ │ ├── otp │ │ │ ├── README.mdx │ │ │ ├── generate │ │ │ │ └── README.mdx │ │ │ └── verify │ │ │ │ └── README.mdx │ │ ├── rand │ │ │ └── README.mdx │ │ └── winpe │ │ │ ├── README.mdx │ │ │ └── extract │ │ │ └── README.mdx │ ├── fileserver │ │ └── README.mdx │ ├── help │ │ └── README.mdx │ ├── oauth │ │ └── README.mdx │ ├── path │ │ └── README.mdx │ ├── ssh │ │ ├── README.mdx │ │ ├── certificate │ │ │ └── README.mdx │ │ ├── check-host │ │ │ └── README.mdx │ │ ├── config │ │ │ └── README.mdx │ │ ├── fingerprint │ │ │ └── README.mdx │ │ ├── hosts │ │ │ └── README.mdx │ │ ├── inspect │ │ │ └── README.mdx │ │ ├── list │ │ │ └── README.mdx │ │ ├── login │ │ │ └── README.mdx │ │ ├── logout │ │ │ └── README.mdx │ │ ├── needs-renewal │ │ │ └── README.mdx │ │ ├── proxycommand │ │ │ └── README.mdx │ │ ├── rekey │ │ │ └── README.mdx │ │ ├── renew │ │ │ └── README.mdx │ │ └── revoke │ │ │ └── README.mdx │ └── version │ │ └── README.mdx └── the-step-command.mdx └── tutorials ├── README.mdx ├── acme-protocol-acme-clients.mdx ├── apple-mdm-jamf-setup-guide.mdx ├── browser-certificate-setup-guide.mdx ├── cloud-vm-certificate.mdx ├── connect-intune-to-smallstep.mdx ├── connect-jamf-pro-to-smallstep.mdx ├── connect-workspace-one-to-smallstep.mdx ├── docker-tls-certificate-authority.mdx ├── intermediate-ca-new-ca.mdx ├── intune-mdm-setup-guide.mdx ├── keycloak-oidc-provisioner.mdx ├── kubernetes-acme-ca.mdx ├── mutual-tls-aws.mdx ├── pki-trust-model-federation.mdx ├── rsa-chain.mdx ├── ssh-certificate-login.mdx ├── user-authentication.mdx ├── vpn-client-setup-guide.mdx ├── vpn-setup-guide-azure-vng.mdx ├── vpn-setup-guide-f5.mdx ├── vpn-setup-guide-strongswan.mdx ├── vpn-setup-guide.mdx └── wifi-setup-guide.mdx /.ackrc: -------------------------------------------------------------------------------- 1 | --ignore-dir=graphics 2 | -------------------------------------------------------------------------------- /.githooks/pre-commit: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This pre-commit hook updates (or adds) the updated_at frontmatter in .mdx files with the current date. 3 | # 4 | # To install it, run the following from the top level of the repo: 5 | # 6 | # mkdir -p .git/hooks 7 | # cp .githooks/pre-commit .git/hooks/pre-commit 8 | # chmod +x .git/hooks/pre-commit 9 | 10 | # Get the current date in "Month Day, Year" format (e.g., March 23, 2025) 11 | CURRENT_DATE=$(date -u +"%B %d, %Y") 12 | 13 | # Function to update frontmatter 14 | update_frontmatter() { 15 | local file=$1 16 | 17 | # Ensure the file contains frontmatter 18 | if [[ $(head -n 1 "$file") == "---" ]]; then 19 | if grep -q "^updated_at:" "$file"; then 20 | # Update the existing "updated_at" field 21 | sed -i "" -E "s/^updated_at:.*/updated_at: $CURRENT_DATE/" "$file" 22 | else 23 | # Insert "updated_at" on the second line of the file 24 | sed -i "" "2i\\ 25 | updated_at: $CURRENT_DATE 26 | " "$file" 27 | fi 28 | fi 29 | } 30 | 31 | # Find all staged Markdown files 32 | for file in $(git diff --cached --name-only -- '*.mdx'); do 33 | if [[ -f "$file" ]]; then 34 | update_frontmatter "$file" 35 | # Re-add the file to staging 36 | git add "$file" 37 | fi 38 | done 39 | 40 | 41 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE: -------------------------------------------------------------------------------- 1 | #### Describe your changes: 2 | 3 | 4 | #### Related links/other PRs/issues: 5 | 6 | 7 | Thank you! 8 | -------------------------------------------------------------------------------- /.github/mdl.config.json: -------------------------------------------------------------------------------- 1 | { 2 | "ignorePatterns": [ 3 | { 4 | "pattern": "^https?://.*.local" 5 | }, 6 | { 7 | "pattern": "^https?://.*.internal" 8 | }, 9 | { 10 | "pattern": "^https?://localhost" 11 | }, 12 | { 13 | "pattern": "^https?://127.0.0.1" 14 | }, 15 | { 16 | "pattern": "^https?://.*.example.com" 17 | }, 18 | { 19 | "pattern": "^https://yourco.okta.com" 20 | }, 21 | { 22 | "pattern": "^https://somehost.com" 23 | }, 24 | { 25 | "pattern": "^https://.*ca.smallstep.com" 26 | }, 27 | { 28 | "pattern": "^https://i.imgur.com" 29 | }, 30 | { 31 | "pattern": "^https://www.arubanetworks.com" 32 | } 33 | ], 34 | "replacementPatterns": [ 35 | { 36 | "pattern": "^/graphics", 37 | "replacement": "{{BASEURL}}/graphics" 38 | } 39 | ] 40 | } 41 | -------------------------------------------------------------------------------- /.github/workflows/link-check.yml: -------------------------------------------------------------------------------- 1 | name: Check Markdown links in merges 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | 8 | jobs: 9 | markdown-link-check: 10 | runs-on: ubuntu-latest 11 | timeout-minutes: 60 12 | steps: 13 | - uses: actions/checkout@v4 14 | - uses: gaurav-nelson/github-action-markdown-link-check@v1 15 | with: 16 | file-extension: '.mdx' 17 | use-quiet-mode: 'yes' 18 | config-file: '.github/mdl.config.json' 19 | -------------------------------------------------------------------------------- /.github/workflows/pr-checks.yml: -------------------------------------------------------------------------------- 1 | name: Check Markdown links in PRs 2 | 3 | on: 4 | pull_request: 5 | 6 | jobs: 7 | markdown-link-check: 8 | runs-on: ubuntu-latest 9 | steps: 10 | - uses: actions/checkout@v4 11 | - uses: gaurav-nelson/github-action-markdown-link-check@v1 12 | with: 13 | file-extension: '.mdx' 14 | use-quiet-mode: 'yes' 15 | check-modified-files-only: 'yes' 16 | base-branch: 'main' 17 | config-file: '.github/mdl.config.json' 18 | -------------------------------------------------------------------------------- /.github/workflows/upload-assets.yml: -------------------------------------------------------------------------------- 1 | name: Upload Assets 2 | 3 | on: 4 | push: 5 | branches: 6 | - 'main' 7 | paths: 8 | - 'graphics/**' 9 | 10 | jobs: 11 | upload: 12 | runs-on: ubuntu-latest 13 | steps: 14 | - uses: actions/checkout@v3 15 | - name: Upload to S3 16 | uses: shallwefootball/upload-s3-action@v1.3.3 17 | id: S3 18 | with: 19 | aws_key_id: ${{ secrets.AWS_ASSETS_KEY_ID }} 20 | aws_secret_access_key: ${{ secrets.AWS_ASSETS_SECRET_ACCESS_KEY}} 21 | aws_bucket: ${{ secrets.AWS_ASSETS_BUCKET }} 22 | source_dir: 'graphics' 23 | destination_dir: 'graphics' 24 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Logs 2 | logs 3 | *.log 4 | npm-debug.log* 5 | yarn-debug.log* 6 | yarn-error.log* 7 | lerna-debug.log* 8 | 9 | # Diagnostic reports (https://nodejs.org/api/report.html) 10 | report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json 11 | 12 | # Runtime data 13 | pids 14 | *.pid 15 | *.seed 16 | *.pid.lock 17 | 18 | # Directory for instrumented libs generated by jscoverage/JSCover 19 | lib-cov 20 | 21 | # Coverage directory used by tools like istanbul 22 | coverage 23 | *.lcov 24 | 25 | # nyc test coverage 26 | .nyc_output 27 | 28 | # Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files) 29 | .grunt 30 | 31 | # Bower dependency directory (https://bower.io/) 32 | bower_components 33 | 34 | # node-waf configuration 35 | .lock-wscript 36 | 37 | # Compiled binary addons (https://nodejs.org/api/addons.html) 38 | build/Release 39 | 40 | # Dependency directories 41 | node_modules/ 42 | jspm_packages/ 43 | 44 | # TypeScript v1 declaration files 45 | typings/ 46 | 47 | # TypeScript cache 48 | *.tsbuildinfo 49 | 50 | # Optional npm cache directory 51 | .npm 52 | 53 | # Optional eslint cache 54 | .eslintcache 55 | 56 | # Microbundle cache 57 | .rpt2_cache/ 58 | .rts2_cache_cjs/ 59 | .rts2_cache_es/ 60 | .rts2_cache_umd/ 61 | 62 | # Optional REPL history 63 | .node_repl_history 64 | 65 | # Output of 'npm pack' 66 | *.tgz 67 | 68 | # Yarn Integrity file 69 | .yarn-integrity 70 | 71 | # dotenv environment variables file 72 | .env 73 | .env.test 74 | 75 | # parcel-bundler cache (https://parceljs.org/) 76 | .cache 77 | 78 | # Next.js build output 79 | .next 80 | 81 | # Nuxt.js build / generate output 82 | .nuxt 83 | dist 84 | 85 | # Gatsby files 86 | .cache/ 87 | # Comment in the public line in if your project uses Gatsby and *not* Next.js 88 | # https://nextjs.org/blog/next-9-1#public-directory-support 89 | # public 90 | 91 | # vuepress build output 92 | .vuepress/dist 93 | 94 | # Serverless directories 95 | .serverless/ 96 | 97 | # FuseBox cache 98 | .fusebox/ 99 | 100 | # DynamoDB Local files 101 | .dynamodb/ 102 | 103 | # TernJS port file 104 | .tern-port 105 | 106 | /public 107 | 108 | .DS_Store -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @smallstep/docs 2 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Smallstep docs 2 | 3 | This repository contains documentation for Smallstep projects and products. These docs are served at https://smallstep.com/docs. 4 | 5 | Issues and pull requests are welcome! 6 | 7 | ## Docs Style & Syntax 8 | 9 | - The docs repo uses [MDX syntax](https://mdxjs.com/docs/what-is-mdx/#mdx-syntax). 10 | MDX follows the [CommonMark spec](https://spec.commonmark.org/) for Markdown. 11 | MDX also allows us to intersperse CommonMark with JSX tags (React components and other HTML-like tags). 12 | A JSX tag block looks like this: 13 | 14 | ``` 15 | 16 | Want to run an SSH CA? 17 |
18 | By default, the SSH CA is disabled. 19 | Create a CA with SSH CA capabilities by running step ca init --ssh. 20 |
21 | 22 | ``` 23 | 24 | Take a look through a few docs pages to get familiar with the React components we use in our docs, and how to use them. 25 | There's no formal docs for these yet. 26 | 27 | - Use [semantic linefeeds](https://rhodesmill.org/brandon/2012/one-sentence-per-line/) when possible. 28 | - Follow the conventions outlined in Google's [Technical Writing](https://developers.google.com/tech-writing/one) classes. 29 | - Further reading: 30 | - [Common Bugs in Writing](https://www.cs.columbia.edu/~hgs/etc/writing-bugs.html) 31 | 32 | ## Updating the `step` CLI reference docs 33 | 34 | Everything under `src/pages/docs/step-cli/reference` is auto-generated whenever we release a new version of `step`. To make a change to the CLI reference, you'll have to make the edit in [smallstep/cli](https://github.com/smallstep/cli) and make a PR over there. The reference docs are embedded in the source files under the `command` folder in that repo. 35 | 36 | ## Practical Zero Trust 37 | 38 | The Practical Zero Trust articles are a bit different. 39 | They are templated, rather than freeform Markdown. 40 | Look at existing examples in [`src/pzt`](src/pzt) for reference. 41 | 42 | ## Checking links locally 43 | 44 | First: 45 | 46 | ``` 47 | npm install -g markdown-link-check 48 | ``` 49 | 50 | Then run: 51 | 52 | ``` 53 | find . -name \*.mdx -not -path './node_modules/*' -print0 | xargs -0 -n1 markdown-link-check -q -c .github/mdl.config.json 54 | ``` 55 | -------------------------------------------------------------------------------- /certificate-manager/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: Getting Started with Smallstep Certificate Manager 3 | html_title: Certificate Manager Documentation from Smallstep 4 | description: Learn how to get started with Smallstep Certificate Manager. 5 | --- 6 | 7 | Smallstep Certificate Manager is a commercial product built on `step-ca` that delivers a highly available hosted certificate authorities, expiry notifications and alerts, a management dashboard, Active Revocation, API, and other features. With Smallstep Certificate Manager, you can easily issue private TLS/SSL certificates to all your things. [Learn more here.](https://smallstep.com/certificate-manager) 8 | 9 | If you need to manage devices or workloads that are not supported yet, then you can use Certificate Manager to tinker a solution. 10 | 11 | The Certificate Manager exposes the fundamental building blocks for the supported use cases within the Smallstep platform. 12 | 13 | For context, Amazon Web Services (AWS) offers Elastic Beanstalk, streamlining application deployment on AWS. It manages infrastructure provisioning, including servers (EC2 instances), databases, load balancers, networks, and auto-scaling groups. You upload your app's code, and Elastic Beanstalk handles the rest. While it creates these resources, you maintain complete control and visibility over each resource, enabling developers to customize them as required. In contrast, if you were to manually navigate through AWS, you'd find yourself having to reason about these individual components, a potentially complex and time-consuming task. That's what Certificate Manager is to the Smallstep platform. 14 | 15 | When you register a device or workload for management of the Smallstep platform, behind the scene, authorities, provisioners, templates, policies and other stuff are created automatically for you. 16 | 17 | Certificate Manager is a big heap of technology that demands you to reason about the design, architecture, and configuration of your PKI yourself. We understand that PKI might not be your primary focus, so instead of diving into certificate intricacies, tell us your certificate-related goals, and we can provide guidance to expedite your journey. 18 | 19 | 20 | 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /graphics/2019-03-19-step-oauth-oidc-curl.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/2019-03-19-step-oauth-oidc-curl.png -------------------------------------------------------------------------------- /graphics/2019-03-19-step-oauth-oidc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/2019-03-19-step-oauth-oidc.png -------------------------------------------------------------------------------- /graphics/Aerohive.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/Aerohive.png -------------------------------------------------------------------------------- /graphics/Authenticating_to_an_EAP-TLS_network.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/Authenticating_to_an_EAP-TLS_network.png -------------------------------------------------------------------------------- /graphics/Extreme.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/Extreme.png -------------------------------------------------------------------------------- /graphics/Intune_flow_diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/Intune_flow_diagram.png -------------------------------------------------------------------------------- /graphics/Intune_permissions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/Intune_permissions.png -------------------------------------------------------------------------------- /graphics/Jamf_MDM_Marketecture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/Jamf_MDM_Marketecture.png -------------------------------------------------------------------------------- /graphics/advanced-resource-assign.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/advanced-resource-assign.png -------------------------------------------------------------------------------- /graphics/asus-eaptls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/asus-eaptls.png -------------------------------------------------------------------------------- /graphics/autocert-arch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/autocert-arch.png -------------------------------------------------------------------------------- /graphics/autocert-bootstrap.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/autocert-bootstrap.png -------------------------------------------------------------------------------- /graphics/aws-account-id.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/aws-account-id.png -------------------------------------------------------------------------------- /graphics/azure.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/azure.png -------------------------------------------------------------------------------- /graphics/cas-deploy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/cas-deploy.png -------------------------------------------------------------------------------- /graphics/cas-launch-image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/cas-launch-image.png -------------------------------------------------------------------------------- /graphics/cas-optional-fields.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/cas-optional-fields.png -------------------------------------------------------------------------------- /graphics/cas-required-fields.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/cas-required-fields.png -------------------------------------------------------------------------------- /graphics/cas-three-ways.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/cas-three-ways.png -------------------------------------------------------------------------------- /graphics/certificate-manager-icon.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 5 | 9 | 10 | 11 | 24 | 25 | 26 | 27 | 28 | 29 | -------------------------------------------------------------------------------- /graphics/certificate_manager_ra_mode.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/certificate_manager_ra_mode.png -------------------------------------------------------------------------------- /graphics/customize.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | customize 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /graphics/demo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/demo.gif -------------------------------------------------------------------------------- /graphics/docs-certificate-manager-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/docs-certificate-manager-logo.png -------------------------------------------------------------------------------- /graphics/docs-registration-authorities-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/docs-registration-authorities-logo.png -------------------------------------------------------------------------------- /graphics/docs-ssh-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/docs-ssh-logo.png -------------------------------------------------------------------------------- /graphics/email_black_24dp.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | -------------------------------------------------------------------------------- /graphics/enhanced_encryption.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /graphics/gcp-kubernetes-configuration-console.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/gcp-kubernetes-configuration-console.png -------------------------------------------------------------------------------- /graphics/general-provisioner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/general-provisioner.png -------------------------------------------------------------------------------- /graphics/gsuite.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/gsuite.png -------------------------------------------------------------------------------- /graphics/hammer-wrench.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /graphics/host-tags-example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/host-tags-example.png -------------------------------------------------------------------------------- /graphics/host_certificate_flow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/host_certificate_flow.png -------------------------------------------------------------------------------- /graphics/icon-mutual-tls.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /graphics/icon-platforms.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /graphics/icon-step-ca.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | -------------------------------------------------------------------------------- /graphics/icon-step-cli.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /graphics/iid-authentication.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/iid-authentication.png -------------------------------------------------------------------------------- /graphics/iid-provisioner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/iid-provisioner.png -------------------------------------------------------------------------------- /graphics/imported-access-policy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/imported-access-policy.png -------------------------------------------------------------------------------- /graphics/jamf_scep.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/jamf_scep.png -------------------------------------------------------------------------------- /graphics/jamf_webhook.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/jamf_webhook.png -------------------------------------------------------------------------------- /graphics/k8s-step-issuer-diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/k8s-step-issuer-diagram.png -------------------------------------------------------------------------------- /graphics/kubernetes-tls-unfurl.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/kubernetes-tls-unfurl.png -------------------------------------------------------------------------------- /graphics/localhost-tls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/localhost-tls.png -------------------------------------------------------------------------------- /graphics/logo-icon-white.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /graphics/meraki.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/meraki.png -------------------------------------------------------------------------------- /graphics/oauth-provisioner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/oauth-provisioner.png -------------------------------------------------------------------------------- /graphics/okta.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/okta.png -------------------------------------------------------------------------------- /graphics/other-resources.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /graphics/other.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/other.png -------------------------------------------------------------------------------- /graphics/passive-revocation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/passive-revocation.png -------------------------------------------------------------------------------- /graphics/provisioner-stepCA-graph.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/provisioner-stepCA-graph.png -------------------------------------------------------------------------------- /graphics/quickstart/aad-add-nongallery-app.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/aad-add-nongallery-app.png -------------------------------------------------------------------------------- /graphics/quickstart/aad-attribute-mapping.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/aad-attribute-mapping.png -------------------------------------------------------------------------------- /graphics/quickstart/aad-create-user-group.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/aad-create-user-group.png -------------------------------------------------------------------------------- /graphics/quickstart/aad-group-example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/aad-group-example.png -------------------------------------------------------------------------------- /graphics/quickstart/acl-grant-access.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/acl-grant-access.png -------------------------------------------------------------------------------- /graphics/quickstart/acl-host-detail.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/acl-host-detail.png -------------------------------------------------------------------------------- /graphics/quickstart/acl-select-idp-group.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/acl-select-idp-group.png -------------------------------------------------------------------------------- /graphics/quickstart/azure-consent.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/azure-consent.png -------------------------------------------------------------------------------- /graphics/quickstart/azure-onboarding.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/azure-onboarding.png -------------------------------------------------------------------------------- /graphics/quickstart/g-suite-api-clients.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/g-suite-api-clients.png -------------------------------------------------------------------------------- /graphics/quickstart/host-tags-example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/host-tags-example.png -------------------------------------------------------------------------------- /graphics/quickstart/oidc-confirm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/oidc-confirm.png -------------------------------------------------------------------------------- /graphics/quickstart/oidc-copy-2021.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/oidc-copy-2021.png -------------------------------------------------------------------------------- /graphics/quickstart/oidc-copy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/oidc-copy.png -------------------------------------------------------------------------------- /graphics/quickstart/okta-api-auth.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/okta-api-auth.png -------------------------------------------------------------------------------- /graphics/quickstart/okta-app-add.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/okta-app-add.png -------------------------------------------------------------------------------- /graphics/quickstart/okta-app-signon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/okta-app-signon.png -------------------------------------------------------------------------------- /graphics/quickstart/okta-app-tile.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/okta-app-tile.png -------------------------------------------------------------------------------- /graphics/quickstart/okta-enable-api.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/okta-enable-api.png -------------------------------------------------------------------------------- /graphics/quickstart/okta-enable-sync.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/okta-enable-sync.png -------------------------------------------------------------------------------- /graphics/quickstart/okta-gid-createupdate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/okta-gid-createupdate.png -------------------------------------------------------------------------------- /graphics/quickstart/okta-gid-finalmap.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/okta-gid-finalmap.png -------------------------------------------------------------------------------- /graphics/quickstart/okta-gid-gidadd.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/okta-gid-gidadd.png -------------------------------------------------------------------------------- /graphics/quickstart/okta-gid-gidsync.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/okta-gid-gidsync.png -------------------------------------------------------------------------------- /graphics/quickstart/okta-gid-uidadd.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/okta-gid-uidadd.png -------------------------------------------------------------------------------- /graphics/quickstart/okta-gid-uidsync.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/okta-gid-uidsync.png -------------------------------------------------------------------------------- /graphics/quickstart/okta-push-groups.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/okta-push-groups.png -------------------------------------------------------------------------------- /graphics/quickstart/scim-logs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/scim-logs.png -------------------------------------------------------------------------------- /graphics/quickstart/ssh-okta-client-auth-oidc-app.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/ssh-okta-client-auth-oidc-app.png -------------------------------------------------------------------------------- /graphics/quickstart/ssh-okta-domain-oidc-app.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/ssh-okta-domain-oidc-app.png -------------------------------------------------------------------------------- /graphics/quickstart/ssh-okta-new-oidc-app.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/ssh-okta-new-oidc-app.png -------------------------------------------------------------------------------- /graphics/quickstart/ssh-okta-uri-oidc-app.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/quickstart/ssh-okta-uri-oidc-app.png -------------------------------------------------------------------------------- /graphics/scim.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/scim.png -------------------------------------------------------------------------------- /graphics/shortcut.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/shortcut.png -------------------------------------------------------------------------------- /graphics/smallstep-docs-unfurl.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/smallstep-docs-unfurl.png -------------------------------------------------------------------------------- /graphics/ssh-hiw-alice1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/ssh-hiw-alice1.png -------------------------------------------------------------------------------- /graphics/ssh-hiw-alice2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/ssh-hiw-alice2.png -------------------------------------------------------------------------------- /graphics/ssh-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/ssh-logo.png -------------------------------------------------------------------------------- /graphics/ssh-sso-in-browser.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/ssh-sso-in-browser.png -------------------------------------------------------------------------------- /graphics/sso.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/sso.png -------------------------------------------------------------------------------- /graphics/stepcas-ra-mode.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/stepcas-ra-mode.png -------------------------------------------------------------------------------- /graphics/tpm-attestation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/tpm-attestation.png -------------------------------------------------------------------------------- /graphics/unregister-webhook.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/unregister-webhook.png -------------------------------------------------------------------------------- /graphics/webhook-events-demo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/webhook-events-demo.png -------------------------------------------------------------------------------- /graphics/workload-management-setup.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/workload-management-setup.png -------------------------------------------------------------------------------- /graphics/workspace-one-api-panel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallstep/docs/4f0333dbd29e6ea20a1101247f689cd886213119/graphics/workspace-one-api-panel.png -------------------------------------------------------------------------------- /practical-zero-trust/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Practical Zero Trust" 3 | html_title: Practical Zero Trust 4 | description: Smallstep's Practical Zero Trust tutorials provide a DevOps guide to automating TLS certificates and enabling server-side encryption. 5 | --- 6 | 7 | import { ToolsIcon } from '@smallstep/step-ui'; 8 | 9 | 10 | ## The DevOps practitioners guide 11 | 12 | Zero Trust or BeyondProd approaches require authenticated and encrypted communications everywhere. 13 | TLS is the cryptographic protocol that powers encryption for all your technologies. 14 | For TLS, you need certificates. 15 | This series of practitioner's tutorials provide instructions for automating TLS certificates for popular technologies. 16 | Get started quickly with the **try it** path and learn about TLS with your specific technology. 17 | Then, when ready, follow the **operationalize it** path to automate deployments and certificate management powering server-side encryption. 18 | The tutorials include configuration options for Linux, Docker, and Kubernetes environments using the ACME protocol, systemd timers, and other modern techniques for certificate management. 19 | 20 | ## Available Tutorials 21 | 22 | * [Redis TLS >](https://smallstep.com/practical-zero-trust/redis-tls) 23 | * [MongoDB TLS >](https://smallstep.com/practical-zero-trust/mongodb-tls) 24 | * [Kubernetes Ingress TLS >](https://smallstep.com/practical-zero-trust/kubernetes-ingress-tls) 25 | * [nginx TLS >](https://smallstep.com/practical-zero-trust/nginx-tls) 26 | * [MySQL TLS >](https://smallstep.com/practical-zero-trust/mysql-tls) 27 | * [PostgreSQL TLS >](https://smallstep.com/practical-zero-trust/postgresql-tls) 28 | * [Istio TLS >](https://smallstep.com/practical-zero-trust/istio-tls) 29 | * [Go gRPC TLS >](https://smallstep.com/practical-zero-trust/go-grpc-tls) 30 | 31 | ## Looking For Something Specific? 32 | 33 | We are continually updating our tutorial library and would love to hear what you want to learn next. Visit [GitHub Discussions](https://github.com/smallstep/certificates/discussions) and let us know. 34 | -------------------------------------------------------------------------------- /registration-authorities/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: Getting Started with Smallstep Registration Authorities 3 | html_title: Registration Authority, extend your existing PKI 4 | description: Provide automated enrollment and renewal of certificates using modern techniques while extending your existing internal PKI 5 | --- 6 | 7 | Smallstep Registration Authorities (RA) provide automated enrollment and renewal of certificates using modern techniques while extending your existing internal PKI. Smallstep RAs act narrowly as a _registration authority_, accepting certificate orders, and authenticating certificate requests. Smallstep RAs do not sign certificates. Instead, certificate requests are passed to your existing PKI infrastructure to sign and catalog. Benefits of this approach include: 8 | 9 | * Issued certificates are trusted by anything that trusts your PKI root certificate. 10 | * Issued certificates appear in your PKI console and audit logs. 11 | * Security-sensitive signing keys are managed by your existing PKI and never seen by Smallstep ACME RA. 12 | 13 | ![Smallstep RA](/graphics/docs-registration-authorities-logo.png "Smallstep RA") 14 | 15 | Today Smallstep is focused on building ACME registration authorities for popular PKI platforms. In the future, we intend to expand our RA support to address the capabilities of the many Smallstep provisioners. 16 | 17 | * Try it today on GCP with the [ACME RA for Google Certificate Authority Service](../registration-authorities/acme-for-cas.mdx) 18 | * [Register for early access](https://info.smallstep.com/acme-protocol/) for other PKI providers (Microsoft ADCS, HashiCorp Vault, AWS ACM PCA, EJBCA, and others) 19 | -------------------------------------------------------------------------------- /ssh/client.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: Smallstep SSH Client Quickstart 3 | description: Smallstep SSH Client Quickstart | Smallstep Documentation 4 | --- 5 | 6 | ### Prerequisites 7 | 8 | * An account on the smallstep platform. Need one? [Register here.](https://smallstep.com/signup?product=ssh) 9 | 10 | ### Features 11 | 12 | The following features are supported: 13 | 14 | * Client configuration of OpenSSH to support Smallstep SSH 15 | * Support for the following client platforms: 16 | * macOS (10.13 High Sierra or above) 17 | * Windows 10 (using PowerShell) 18 | * Ubuntu 18.04 LTS 19 | * CentOS 7 and CentOS Stream 8 20 | * Fedora (34 and 35) 21 | * Debian 10 22 | 23 | ## Instructions 24 | 25 | The Client Quickstart is accessible within the smallstep UI. When selected, it configures a unique URL that simplifies user registration down to a simple copy-paste exercise. You can find it as follows: 26 | 27 | ### Sign in to the smallstep UI 28 | 29 | * Sign in at `https://smallstep.com/app/[Team ID]` 30 | * Select the "Resources" menu item 31 | * A link to the **Client Quickstart Guide** is available under the "Guides" section of this page 32 | 33 | ### Alternate Instructions 34 | 35 | You can also modify the following link by replacing `[Team ID]` with your Smallstep SSH Team ID: 36 | 37 | * `https://smallstep.com/app/teams/quickstart?team=[Team ID]` 38 | * For example: smallstep.com/app/teams/quickstart?**team=avengers** 39 | -------------------------------------------------------------------------------- /step-cli/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: "`step` CLI" 3 | html_title: step CLI 4 | description: step CLI 5 | cta: 6 | text: Install `step` 7 | icon: ToolsIcon 8 | path: /docs/step-cli/installation 9 | --- 10 | 11 | ## Introduction to `step` 12 | 13 | `step` is an easy-to-use CLI tool for building, operating, and automating Public Key Infrastructure (PKI) systems and workflows. `step` acts as front-end interface to [Certificate Manager](../certificate-manager) and [`step-ca`](../step-ca), an online X.509 and SSH Certificate Authority (CA). `step` is also a standalone, general-purpose PKI toolkit: You can use it for many common crypto and X.509 operations. 14 | 15 | ## Using `step` with `step-ca` 16 | 17 | If you'd like to use `step` with `step-ca`, head over to the [`step-ca` documentation](../step-ca) for command usage information and examples. 18 | 19 | ## Examples that don't require `step-ca` 20 | 21 | `step` has plenty of features that make crypto easier for the casual user. 22 | 23 | Here's a few common uses of the `step` command that don't require `step-ca`: 24 | 25 | - [Create and work with X.509 certificates](./basic-crypto-operations.mdx#create-and-work-with-x509-certificates) 26 | - [Get a TLS Certificate From Let's Encrypt](./basic-crypto-operations.mdx#get-a-tls-certificate-from-lets-encrypt) 27 | - [Generate JSON Web Tokens (JWTs) and JSON Web Keys (JWKs)](./basic-crypto-operations.mdx#generate-json-web-tokens-jwts-and-json-web-keys-jwks) 28 | - [Obtain and Work With OAuth Tokens](./basic-crypto-operations.mdx#obtain-and-work-with-oauth-tokens) 29 | - [Inspect an SSH certificate](./basic-crypto-operations.mdx#work-with-ssh-certificates) 30 | - [Sign and encrypt arbitrary data using the NaCl library](./basic-crypto-operations.mdx#sign-and-encrypt-arbitrary-data) 31 | - [Generate and verify TOTP tokens for multi-factor authentication (MFA)](./basic-crypto-operations.mdx#generate-totp-tokens-for-multi-factor-authentication-mfa) 32 | - Add and remove CA certificates from your system's default trust store 33 | 34 | ## Next Steps 35 | 36 | * [Installation](./installation.mdx) 37 | * [The `step` Command](./the-step-command.mdx) 38 | * [Basic Crypto Operations](./basic-crypto-operations.mdx) 39 | * [Command Reference](./reference/) 40 | -------------------------------------------------------------------------------- /step-cli/reference/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step 5 | menu: 6 | docs: 7 | children: 8 | - help 9 | - api 10 | - path 11 | - base64 12 | - fileserver 13 | - certificate 14 | - completion 15 | - context 16 | - crl 17 | - crypto 18 | - oauth 19 | - version 20 | - ca 21 | - beta 22 | - ssh 23 | --- 24 | 25 | ## Name 26 | **step** -- plumbing for distributed systems 27 | 28 | ## Usage 29 | 30 | ```raw 31 | step [arguments] 32 | ``` 33 | 34 | ## Options 35 | 36 | **--help**, **-h** 37 | show help 38 | 39 | **--config**=`value` 40 | path to the config file to use for CLI flags 41 | 42 | **--version**, **-v** 43 | print the version 44 | 45 | 46 | ## Commands 47 | 48 | 49 | | Name | Usage | 50 | |---|---| 51 | | **[help, h](help/)** | display help for the specified command or command group | 52 | | **[path](path/)** | print the configured step path and exit | 53 | | **[base64](base64/)** | encodes and decodes using base64 representation | 54 | | **[certificate](certificate/)** | create, revoke, validate, bundle, and otherwise manage certificates | 55 | | **[completion](completion/)** | print the shell completion script | 56 | | **[context](context/)** | manage certificate authority contexts | 57 | | **[crl](crl/)** | initialize and manage a certificate revocation list | 58 | | **[crypto](crypto/)** | useful cryptographic plumbing | 59 | | **[oauth](oauth/)** | authorization and single sign-on using OAuth & OIDC | 60 | | **[version](version/)** | display the current version of the cli | 61 | | **[ca](ca/)** | initialize and manage a certificate authority | 62 | | **[beta](beta/)** | commands that are being tested; these APIs are likely to change | 63 | | **[ssh](ssh/)** | create and manage ssh certificates | 64 | 65 | 66 | ## Version 67 | 68 | Smallstep CLI/0.28.6 (linux/amd64) 69 | 70 | ## Copyright 71 | 72 | (c) 2018-2025 Smallstep Labs, Inc. 73 | 74 | -------------------------------------------------------------------------------- /step-cli/reference/api/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step api 5 | menu: 6 | docs: 7 | parent: step 8 | children: 9 | - token 10 | --- 11 | 12 | ## Name 13 | **step api** -- authenticate to the Smallstep API 14 | 15 | ## Usage 16 | 17 | ```raw 18 | step api [arguments] [global-flags] [subcommand-flags] 19 | ``` 20 | 21 | ## Description 22 | 23 | **step api** provides commands for connecting to the Smallstep API. 24 | 25 | 26 | ## Commands 27 | 28 | 29 | | Name | Usage | 30 | |---|---| 31 | | **[token](token/)** | create tokens for connecting to the Smallstep API | 32 | 33 | -------------------------------------------------------------------------------- /step-cli/reference/api/token/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step api token 5 | menu: 6 | docs: 7 | parent: step api 8 | children: 9 | - create 10 | --- 11 | 12 | ## Name 13 | **step api token** -- create tokens for connecting to the Smallstep API 14 | 15 | ## Usage 16 | 17 | ```raw 18 | step api token [arguments] [global-flags] [subcommand-flags] 19 | ``` 20 | 21 | ## Description 22 | 23 | **step api token** command group provides commands for creating the 24 | tokens required to connect to the Smallstep API. 25 | 26 | 27 | ## Commands 28 | 29 | 30 | | Name | Usage | 31 | |---|---| 32 | | **[create](create/)** | create a new token | 33 | 34 | -------------------------------------------------------------------------------- /step-cli/reference/api/token/create/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step api token create 5 | menu: 6 | docs: 7 | parent: step api token 8 | --- 9 | 10 | ## Name 11 | **step api token create** -- create a new token 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step api token create 17 | [--api-url=] [--audience=] 18 | 19 | ``` 20 | 21 | ## Description 22 | 23 | **step ca api token create** creates a new token for connecting to the Smallstep API. 24 | 25 | ## Positional arguments 26 | 27 | `team` 28 | UUID or slug of the team the API token will be issued for. This is available in the Smallstep dashboard. 29 | 30 | `crt-file` 31 | File to read the certificate (PEM format). This certificate must be signed by a trusted root configured in the Smallstep dashboard. 32 | 33 | `key-file` 34 | File to read the private key (PEM format). 35 | 36 | ## Options 37 | 38 | 39 | **--api-url**=`value` 40 | URL where the Smallstep API can be found 41 | 42 | **--audience**=`value` 43 | Request a token for an audience other than the API Gateway 44 | 45 | ## Examples 46 | Use a certificate to get a new API token: 47 | ```shell 48 | $ step api token create ff98be70-7cc3-4df5-a5db-37f5d3c96e23 internal.crt internal.key 49 | ``` 50 | 51 | Get a token using the team slug: 52 | ```shell 53 | $ step api token create teamfoo internal.crt internal.key 54 | ``` 55 | 56 | 57 | -------------------------------------------------------------------------------- /step-cli/reference/base64/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step base64 5 | menu: 6 | docs: 7 | parent: step 8 | --- 9 | 10 | ## Name 11 | **step base64** -- encodes and decodes using base64 representation 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step base64 17 | [-d|--decode] [-r|--raw] [-u|--url] 18 | ``` 19 | 20 | ## Description 21 | 22 | **step base64** implements base64 encoding as specified by RFC 4648. 23 | 24 | ## Options 25 | 26 | 27 | **-d**, **--decode** 28 | decode base64 input 29 | 30 | **-r**, **--raw** 31 | use the unpadded base64 encoding 32 | 33 | **-u**, **--url** 34 | use the encoding format typically used in URLs and file names 35 | 36 | ## Examples 37 | 38 | Encode to base64 using the standard encoding: 39 | ```shell 40 | $ echo -n This is the string to encode | step base64 41 | VGhpcyBpcyB0aGUgc3RyaW5nIHRvIGVuY29kZQ== 42 | $ step base64 This is the string to encode 43 | VGhpcyBpcyB0aGUgc3RyaW5nIHRvIGVuY29kZQ== 44 | ``` 45 | 46 | Decode a base64 encoded string: 47 | ```shell 48 | $ echo VGhpcyBpcyB0aGUgc3RyaW5nIHRvIGVuY29kZQ== | step base64 -d 49 | This is the string to encode 50 | ``` 51 | 52 | Encode to base64 without padding: 53 | ```shell 54 | $ echo -n This is the string to encode | step base64 -r 55 | VGhpcyBpcyB0aGUgc3RyaW5nIHRvIGVuY29kZQ 56 | $ step base64 -r This is the string to encode 57 | VGhpcyBpcyB0aGUgc3RyaW5nIHRvIGVuY29kZQ 58 | ``` 59 | 60 | Encode to base64 using the url encoding: 61 | ```shell 62 | $ echo 'abc123$%^&*)_+-=~' | step base64 -u 63 | YWJjMTIzJCVeJiooKV8rLT1-Cg== 64 | ``` 65 | 66 | Decode an url encoded base64 string. The encoding type can be enforced 67 | using the '-u' or '-r' flags, but it will be auto-detected if they are not 68 | passed: 69 | ```shell 70 | $ echo YWJjMTIzJCVeJiooKV8rLT1-Cg== | step base64 -d 71 | abc123$%^&*)_+-=~ 72 | $ echo YWJjMTIzJCVeJiooKV8rLT1-Cg== | step base64 -d -u 73 | abc123$%^&*)_+-=~ 74 | ``` 75 | 76 | -------------------------------------------------------------------------------- /step-cli/reference/beta/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step beta 5 | menu: 6 | docs: 7 | parent: step 8 | children: 9 | - ca 10 | --- 11 | 12 | ## Name 13 | **step beta** -- commands that are being tested; these APIs are likely to change 14 | 15 | ## Usage 16 | 17 | ```raw 18 | step beta [arguments] [global-flags] [subcommand-flags] 19 | ``` 20 | 21 | ## Description 22 | 23 | **step beta** command group provides access to new APIs that are in development. 24 | 25 | 26 | ## Commands 27 | 28 | 29 | | Name | Usage | 30 | |---|---| 31 | | **[ca](ca/)** | commands that are made available for testing new features and APIs | 32 | 33 | -------------------------------------------------------------------------------- /step-cli/reference/beta/ca/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step beta ca 5 | menu: 6 | docs: 7 | parent: step beta 8 | children: 9 | - acme 10 | --- 11 | 12 | ## Name 13 | **step beta ca** -- commands that are made available for testing new features and APIs 14 | 15 | ## Usage 16 | 17 | ```raw 18 | step beta ca [arguments] [global-flags] [subcommand-flags] 19 | ``` 20 | 21 | ## Description 22 | 23 | **step beta ca** enables beta access to new step-ca APIs. These 24 | commands may change, disappear, or be promoted to a different subcommand in the future. 25 | 26 | ## Commands 27 | 28 | 29 | | Name | Usage | 30 | |---|---| 31 | | **[acme](acme/)** | manage ACME settings | 32 | 33 | -------------------------------------------------------------------------------- /step-cli/reference/beta/ca/acme/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step beta ca acme 5 | menu: 6 | docs: 7 | parent: step beta ca 8 | children: 9 | - eab 10 | --- 11 | 12 | ## Name 13 | **step beta ca acme** -- manage ACME settings 14 | 15 | ## Usage 16 | 17 | ```raw 18 | step ca acme [arguments] [global-flags] [subcommand-flags] 19 | ``` 20 | 21 | ## Description 22 | 23 | **step ca acme** command group provides facilities for managing ACME. 24 | 25 | ## Commands 26 | 27 | 28 | | Name | Usage | 29 | |---|---| 30 | | **[eab](eab/)** | create and manage ACME External Account Binding Keys | 31 | 32 | -------------------------------------------------------------------------------- /step-cli/reference/beta/ca/acme/eab/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step beta ca acme eab 5 | menu: 6 | docs: 7 | parent: step beta ca acme 8 | children: 9 | - list 10 | - add 11 | - remove 12 | --- 13 | 14 | ## Name 15 | **step beta ca acme eab** -- create and manage ACME External Account Binding Keys 16 | 17 | ## Usage 18 | 19 | ```raw 20 | step ca acme eab [arguments] [global-flags] [subcommand-flags] 21 | ``` 22 | 23 | ## Description 24 | 25 | **step ca acme eab** command group provides facilities for managing ACME 26 | External Account Binding Keys. 27 | 28 | ## Examples 29 | 30 | List the active ACME External Account Binding Keys: 31 | ```shell 32 | $ step ca acme eab list my_provisioner 33 | ``` 34 | 35 | Add an ACME External Account Binding Key: 36 | ```shell 37 | $ step ca acme eab add my_provisioner my_reference 38 | ``` 39 | 40 | Remove an ACME External Account Binding Key: 41 | ```shell 42 | $ step ca acme eab remove my_provisioner my_key_id 43 | ``` 44 | 45 | 46 | ## Commands 47 | 48 | 49 | | Name | Usage | 50 | |---|---| 51 | | **[list](list/)** | list all ACME External Account Binding Keys | 52 | | **[add](add/)** | add ACME External Account Binding Key | 53 | | **[remove](remove/)** | remove an ACME EAB Key from the CA | 54 | 55 | -------------------------------------------------------------------------------- /step-cli/reference/beta/ca/acme/eab/add/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step beta ca acme eab add 5 | menu: 6 | docs: 7 | parent: step beta ca acme eab 8 | --- 9 | 10 | ## Name 11 | **step beta ca acme eab add** -- add ACME External Account Binding Key 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step ca acme eab add [] 17 | [--admin-cert=] [--admin-key=] [--admin-subject=] 18 | [--admin-provisioner=] [--admin-password-file=] 19 | [--ca-url=] [--root=] [--context=] 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ca acme eab add** adds ACME External Account Binding Key. 25 | 26 | ## Positional arguments 27 | 28 | `provisioner` 29 | Name of the provisioner to which the ACME EAB key will be added 30 | 31 | `eab-key-reference` 32 | (Optional) reference (from external system) for the key that will be added 33 | 34 | ## Options 35 | 36 | 37 | **--admin-cert**=`chain` 38 | Admin certificate (`chain`) in PEM format to store in the 'x5c' header of a JWT. 39 | 40 | **--admin-key**=`file` 41 | Private key `file`, used to sign a JWT, corresponding to the admin certificate that will 42 | be stored in the 'x5c' header. 43 | 44 | **--admin-subject**=`subject`, **--admin-name**=`subject` 45 | The admin `subject` to use for generating admin credentials. 46 | 47 | **--admin-provisioner**=`name`, **--admin-issuer**=`name` 48 | The provisioner `name` to use for generating admin credentials. 49 | 50 | **--admin-password-file**=`file`, **--password-file**=`file` 51 | The path to the `file` containing the password to decrypt the one-time token 52 | generating key. 53 | 54 | **--ca-url**=`URI` 55 | `URI` of the targeted Step Certificate Authority. 56 | 57 | **--root**=`file` 58 | The path to the PEM `file` used as the root certificate authority. 59 | 60 | **--context**=`name` 61 | The context `name` to apply for the given command. 62 | 63 | ## Examples 64 | 65 | Add an ACME External Account Binding Key without reference: 66 | ```shell 67 | $ step ca acme eab add my_acme_provisioner 68 | ``` 69 | 70 | Add an ACME External Account Binding Key with reference: 71 | ```shell 72 | $ step ca acme eab add my_acme_provisioner my_first_eab_key 73 | ``` 74 | 75 | -------------------------------------------------------------------------------- /step-cli/reference/beta/ca/acme/eab/remove/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step beta ca acme eab remove 5 | menu: 6 | docs: 7 | parent: step beta ca acme eab 8 | --- 9 | 10 | ## Name 11 | **step beta ca acme eab remove** -- remove an ACME EAB Key from the CA 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step ca acme eab remove 17 | [--admin-cert=] [--admin-key=] [--admin-subject=] 18 | [--admin-provisioner=] [--admin-password-file=] 19 | [--ca-url=] [--root=] [--context=] 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ca acme eab remove** removes an ACME EAB Key from the CA. 25 | 26 | ## Positional arguments 27 | 28 | `provisioner` 29 | Name of the provisioner to remove an ACME EAB key for 30 | 31 | `eab-key-id` 32 | The ACME EAB Key ID to remove 33 | 34 | ## Options 35 | 36 | 37 | **--admin-cert**=`chain` 38 | Admin certificate (`chain`) in PEM format to store in the 'x5c' header of a JWT. 39 | 40 | **--admin-key**=`file` 41 | Private key `file`, used to sign a JWT, corresponding to the admin certificate that will 42 | be stored in the 'x5c' header. 43 | 44 | **--admin-subject**=`subject`, **--admin-name**=`subject` 45 | The admin `subject` to use for generating admin credentials. 46 | 47 | **--admin-provisioner**=`name`, **--admin-issuer**=`name` 48 | The provisioner `name` to use for generating admin credentials. 49 | 50 | **--admin-password-file**=`file`, **--password-file**=`file` 51 | The path to the `file` containing the password to decrypt the one-time token 52 | generating key. 53 | 54 | **--ca-url**=`URI` 55 | `URI` of the targeted Step Certificate Authority. 56 | 57 | **--root**=`file` 58 | The path to the PEM `file` used as the root certificate authority. 59 | 60 | **--context**=`name` 61 | The context `name` to apply for the given command. 62 | 63 | ## Examples 64 | 65 | Remove ACME EAB Key with Key ID "zFGdKC1sHmNf3Wsx3OujY808chxwEdmr" from my_acme_provisioner: 66 | ```shell 67 | $ step ca acme eab remove my_acme_provisioner zFGdKC1sHmNf3Wsx3OujY808chxwEdmr 68 | ``` 69 | 70 | 71 | -------------------------------------------------------------------------------- /step-cli/reference/ca/acme/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca acme 5 | menu: 6 | docs: 7 | parent: step ca 8 | children: 9 | - eab 10 | --- 11 | 12 | ## Name 13 | **step ca acme** -- manage ACME settings 14 | 15 | ## Usage 16 | 17 | ```raw 18 | step ca acme [arguments] [global-flags] [subcommand-flags] 19 | ``` 20 | 21 | ## Description 22 | 23 | **step ca acme** command group provides facilities for managing ACME. 24 | 25 | ## Commands 26 | 27 | 28 | | Name | Usage | 29 | |---|---| 30 | | **[eab](eab/)** | create and manage ACME External Account Binding Keys | 31 | 32 | -------------------------------------------------------------------------------- /step-cli/reference/ca/acme/eab/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca acme eab 5 | menu: 6 | docs: 7 | parent: step ca acme 8 | children: 9 | - list 10 | - add 11 | - remove 12 | --- 13 | 14 | ## Name 15 | **step ca acme eab** -- create and manage ACME External Account Binding Keys 16 | 17 | ## Usage 18 | 19 | ```raw 20 | step ca acme eab [arguments] [global-flags] [subcommand-flags] 21 | ``` 22 | 23 | ## Description 24 | 25 | **step ca acme eab** command group provides facilities for managing ACME 26 | External Account Binding Keys. 27 | 28 | ## Examples 29 | 30 | List the active ACME External Account Binding Keys: 31 | ```shell 32 | $ step ca acme eab list my_provisioner 33 | ``` 34 | 35 | Add an ACME External Account Binding Key: 36 | ```shell 37 | $ step ca acme eab add my_provisioner my_reference 38 | ``` 39 | 40 | Remove an ACME External Account Binding Key: 41 | ```shell 42 | $ step ca acme eab remove my_provisioner my_key_id 43 | ``` 44 | 45 | 46 | ## Commands 47 | 48 | 49 | | Name | Usage | 50 | |---|---| 51 | | **[list](list/)** | list all ACME External Account Binding Keys | 52 | | **[add](add/)** | add ACME External Account Binding Key | 53 | | **[remove](remove/)** | remove an ACME EAB Key from the CA | 54 | 55 | -------------------------------------------------------------------------------- /step-cli/reference/ca/acme/eab/add/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca acme eab add 5 | menu: 6 | docs: 7 | parent: step ca acme eab 8 | --- 9 | 10 | ## Name 11 | **step ca acme eab add** -- add ACME External Account Binding Key 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step ca acme eab add [] 17 | [--admin-cert=] [--admin-key=] [--admin-subject=] 18 | [--admin-provisioner=] [--admin-password-file=] 19 | [--ca-url=] [--root=] [--context=] 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ca acme eab add** adds ACME External Account Binding Key. 25 | 26 | ## Positional arguments 27 | 28 | `provisioner` 29 | Name of the provisioner to which the ACME EAB key will be added 30 | 31 | `eab-key-reference` 32 | (Optional) reference (from external system) for the key that will be added 33 | 34 | ## Options 35 | 36 | 37 | **--admin-cert**=`chain` 38 | Admin certificate (`chain`) in PEM format to store in the 'x5c' header of a JWT. 39 | 40 | **--admin-key**=`file` 41 | Private key `file`, used to sign a JWT, corresponding to the admin certificate that will 42 | be stored in the 'x5c' header. 43 | 44 | **--admin-subject**=`subject`, **--admin-name**=`subject` 45 | The admin `subject` to use for generating admin credentials. 46 | 47 | **--admin-provisioner**=`name`, **--admin-issuer**=`name` 48 | The provisioner `name` to use for generating admin credentials. 49 | 50 | **--admin-password-file**=`file`, **--password-file**=`file` 51 | The path to the `file` containing the password to decrypt the one-time token 52 | generating key. 53 | 54 | **--ca-url**=`URI` 55 | `URI` of the targeted Step Certificate Authority. 56 | 57 | **--root**=`file` 58 | The path to the PEM `file` used as the root certificate authority. 59 | 60 | **--context**=`name` 61 | The context `name` to apply for the given command. 62 | 63 | ## Examples 64 | 65 | Add an ACME External Account Binding Key without reference: 66 | ```shell 67 | $ step ca acme eab add my_acme_provisioner 68 | ``` 69 | 70 | Add an ACME External Account Binding Key with reference: 71 | ```shell 72 | $ step ca acme eab add my_acme_provisioner my_first_eab_key 73 | ``` 74 | 75 | -------------------------------------------------------------------------------- /step-cli/reference/ca/acme/eab/remove/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca acme eab remove 5 | menu: 6 | docs: 7 | parent: step ca acme eab 8 | --- 9 | 10 | ## Name 11 | **step ca acme eab remove** -- remove an ACME EAB Key from the CA 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step ca acme eab remove 17 | [--admin-cert=] [--admin-key=] [--admin-subject=] 18 | [--admin-provisioner=] [--admin-password-file=] 19 | [--ca-url=] [--root=] [--context=] 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ca acme eab remove** removes an ACME EAB Key from the CA. 25 | 26 | ## Positional arguments 27 | 28 | `provisioner` 29 | Name of the provisioner to remove an ACME EAB key for 30 | 31 | `eab-key-id` 32 | The ACME EAB Key ID to remove 33 | 34 | ## Options 35 | 36 | 37 | **--admin-cert**=`chain` 38 | Admin certificate (`chain`) in PEM format to store in the 'x5c' header of a JWT. 39 | 40 | **--admin-key**=`file` 41 | Private key `file`, used to sign a JWT, corresponding to the admin certificate that will 42 | be stored in the 'x5c' header. 43 | 44 | **--admin-subject**=`subject`, **--admin-name**=`subject` 45 | The admin `subject` to use for generating admin credentials. 46 | 47 | **--admin-provisioner**=`name`, **--admin-issuer**=`name` 48 | The provisioner `name` to use for generating admin credentials. 49 | 50 | **--admin-password-file**=`file`, **--password-file**=`file` 51 | The path to the `file` containing the password to decrypt the one-time token 52 | generating key. 53 | 54 | **--ca-url**=`URI` 55 | `URI` of the targeted Step Certificate Authority. 56 | 57 | **--root**=`file` 58 | The path to the PEM `file` used as the root certificate authority. 59 | 60 | **--context**=`name` 61 | The context `name` to apply for the given command. 62 | 63 | ## Examples 64 | 65 | Remove ACME EAB Key with Key ID "zFGdKC1sHmNf3Wsx3OujY808chxwEdmr" from my_acme_provisioner: 66 | ```shell 67 | $ step ca acme eab remove my_acme_provisioner zFGdKC1sHmNf3Wsx3OujY808chxwEdmr 68 | ``` 69 | 70 | 71 | -------------------------------------------------------------------------------- /step-cli/reference/ca/admin/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca admin 5 | menu: 6 | docs: 7 | parent: step ca 8 | children: 9 | - list 10 | - add 11 | - remove 12 | - update 13 | --- 14 | 15 | ## Name 16 | **step ca admin** -- create and manage the certificate authority admins 17 | 18 | ## Usage 19 | 20 | ```raw 21 | step ca admin [arguments] [global-flags] [subcommand-flags] 22 | ``` 23 | 24 | ## Description 25 | 26 | **step ca admin** command group provides facilities for managing the 27 | certificate authority admins. 28 | 29 | An admin is an entity that manages administrative resources (like authority 30 | configuration, provisioner configuration, and other admins) within a certificate 31 | authority. 32 | 33 | ## Examples 34 | 35 | List the active admins: 36 | ```shell 37 | $ step ca admin list 38 | ``` 39 | 40 | Add an admin: 41 | ```shell 42 | $ step ca admin add max@smallstep.com my-jwk-provisioner --super 43 | ``` 44 | 45 | Update an admin: 46 | ```shell 47 | $ step ca admin update max@smallstep.com --super=false 48 | ``` 49 | 50 | Remove an admin: 51 | ```shell 52 | $ step ca admin remove max@smallstep.com 53 | ``` 54 | 55 | ## Commands 56 | 57 | 58 | | Name | Usage | 59 | |---|---| 60 | | **[list](list/)** | list all admins in the CA configuration | 61 | | **[add](add/)** | add an admin to the CA configuration | 62 | | **[remove](remove/)** | remove an admin from the CA configuration | 63 | | **[update](update/)** | update an admin | 64 | 65 | -------------------------------------------------------------------------------- /step-cli/reference/ca/admin/add/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca admin add 5 | menu: 6 | docs: 7 | parent: step ca admin 8 | --- 9 | 10 | ## Name 11 | **step ca admin add** -- add an admin to the CA configuration 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step ca admin add [--super] 17 | [--admin-cert=] [--admin-key=] [--admin-subject=] 18 | [--admin-provisioner=] [--admin-password-file=] 19 | [--ca-url=] [--root=] [--context=] 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ca admin add** adds an admin to the CA configuration. 25 | 26 | ## Positional arguments 27 | 28 | `subject` 29 | The subject name that must appear in the identifying credential of the admin. 30 | 31 | `provisioner` 32 | The name of the provisioner 33 | 34 | ## Options 35 | 36 | 37 | **--super** 38 | Give administrator SuperAdmin privileges. 39 | 40 | **--admin-cert**=`chain` 41 | Admin certificate (`chain`) in PEM format to store in the 'x5c' header of a JWT. 42 | 43 | **--admin-key**=`file` 44 | Private key `file`, used to sign a JWT, corresponding to the admin certificate that will 45 | be stored in the 'x5c' header. 46 | 47 | **--admin-subject**=`subject`, **--admin-name**=`subject` 48 | The admin `subject` to use for generating admin credentials. 49 | 50 | **--admin-provisioner**=`name`, **--admin-issuer**=`name` 51 | The provisioner `name` to use for generating admin credentials. 52 | 53 | **--admin-password-file**=`file`, **--password-file**=`file` 54 | The path to the `file` containing the password to decrypt the one-time token 55 | generating key. 56 | 57 | **--ca-url**=`URI` 58 | `URI` of the targeted Step Certificate Authority. 59 | 60 | **--root**=`file` 61 | The path to the PEM `file` used as the root certificate authority. 62 | 63 | **--context**=`name` 64 | The context `name` to apply for the given command. 65 | 66 | ## Examples 67 | 68 | Add regular Admin: 69 | ```shell 70 | $ step ca admin add max@smallstep.com google 71 | ``` 72 | 73 | Add SuperAdmin: 74 | ```shell 75 | $ step ca admin add max@smallstep.com google --super 76 | ``` 77 | 78 | 79 | -------------------------------------------------------------------------------- /step-cli/reference/ca/admin/remove/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca admin remove 5 | menu: 6 | docs: 7 | parent: step ca admin 8 | --- 9 | 10 | ## Name 11 | **step ca admin remove** -- remove an admin from the CA configuration 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step ca admin remove [--provisioner=] 17 | [--admin-cert=] [--admin-key=] [--admin-subject=] 18 | [--admin-provisioner=] [--admin-password-file=] 19 | [--ca-url=] [--root=] [--context=] 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ca admin remove** removes an admin from the CA configuration. 25 | 26 | ## Positional arguments 27 | 28 | `name` 29 | The name of the admin to be removed. 30 | 31 | ## Options 32 | 33 | 34 | **--provisioner**=`name` 35 | The provisioner `name` by which to filter admins. 36 | 37 | **--admin-cert**=`chain` 38 | Admin certificate (`chain`) in PEM format to store in the 'x5c' header of a JWT. 39 | 40 | **--admin-key**=`file` 41 | Private key `file`, used to sign a JWT, corresponding to the admin certificate that will 42 | be stored in the 'x5c' header. 43 | 44 | **--admin-subject**=`subject`, **--admin-name**=`subject` 45 | The admin `subject` to use for generating admin credentials. 46 | 47 | **--admin-provisioner**=`name`, **--admin-issuer**=`name` 48 | The provisioner `name` to use for generating admin credentials. 49 | 50 | **--admin-password-file**=`file`, **--password-file**=`file` 51 | The path to the `file` containing the password to decrypt the one-time token 52 | generating key. 53 | 54 | **--ca-url**=`URI` 55 | `URI` of the targeted Step Certificate Authority. 56 | 57 | **--root**=`file` 58 | The path to the PEM `file` used as the root certificate authority. 59 | 60 | **--context**=`name` 61 | The context `name` to apply for the given command. 62 | 63 | ## Examples 64 | 65 | Remove an admin: 66 | ```shell 67 | $ step ca admin remove max@smallstep.com 68 | ``` 69 | 70 | Remove an admin with additional filtering by provisioner: 71 | ```shell 72 | $ step ca admin remove max@smallstep.com --provisioner admin-jwk 73 | ``` 74 | 75 | 76 | -------------------------------------------------------------------------------- /step-cli/reference/ca/admin/update/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca admin update 5 | menu: 6 | docs: 7 | parent: step ca admin 8 | --- 9 | 10 | ## Name 11 | **step ca admin update** -- update an admin 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step ca admin update [--super] [--provisioner=] 17 | [--admin-cert=] [--admin-key=] [--admin-subject=] 18 | [--admin-provisioner=] [--admin-password-file=] 19 | [--ca-url=] [--root=] [--context=] 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ca admin update** updates an admin. 25 | 26 | ## Positional arguments 27 | 28 | `id` 29 | The name of the admin to update. 30 | 31 | ## Options 32 | 33 | 34 | **--super** 35 | Update the admin with super-admin privileges. 36 | 37 | **--provisioner**=`name` 38 | The provisioner `name` by which to filter admins. 39 | 40 | **--admin-cert**=`chain` 41 | Admin certificate (`chain`) in PEM format to store in the 'x5c' header of a JWT. 42 | 43 | **--admin-key**=`file` 44 | Private key `file`, used to sign a JWT, corresponding to the admin certificate that will 45 | be stored in the 'x5c' header. 46 | 47 | **--admin-subject**=`subject`, **--admin-name**=`subject` 48 | The admin `subject` to use for generating admin credentials. 49 | 50 | **--admin-provisioner**=`name`, **--admin-issuer**=`name` 51 | The provisioner `name` to use for generating admin credentials. 52 | 53 | **--admin-password-file**=`file`, **--password-file**=`file` 54 | The path to the `file` containing the password to decrypt the one-time token 55 | generating key. 56 | 57 | **--ca-url**=`URI` 58 | `URI` of the targeted Step Certificate Authority. 59 | 60 | **--root**=`file` 61 | The path to the PEM `file` used as the root certificate authority. 62 | 63 | **--context**=`name` 64 | The context `name` to apply for the given command. 65 | 66 | ## Examples 67 | 68 | Add super-admin privileges to an admin: 69 | ```shell 70 | $ step ca admin update max@smallstep.com --super 71 | ``` 72 | 73 | Specify admin by provisioner: 74 | ```shell 75 | $ step ca admin update max@smallstep.com --super --provisioner devops-jwk 76 | ``` 77 | 78 | Remove super-admin privileges from an admin: 79 | ```shell 80 | $ step ca admin update max@smallstep.com --super=false 81 | ``` 82 | 83 | 84 | -------------------------------------------------------------------------------- /step-cli/reference/ca/federation/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca federation 5 | menu: 6 | docs: 7 | parent: step ca 8 | --- 9 | 10 | ## Name 11 | **step ca federation** -- download all the federated certificates 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step ca federation [] 17 | [--ca-url=] [--root=] [--context=] 18 | ``` 19 | 20 | ## Description 21 | 22 | **step ca federation** downloads a certificate bundle with all the root 23 | certificates in the federation. 24 | 25 | ## Positional arguments 26 | 27 | `federation-file` 28 | File to write federation certificates (PEM format) 29 | 30 | ## Options 31 | 32 | 33 | **--ca-url**=`URI` 34 | `URI` of the targeted Step Certificate Authority. 35 | 36 | **-f**, **--force** 37 | Force the overwrite of files without asking. 38 | 39 | **--root**=`file` 40 | The path to the PEM `file` used as the root certificate authority. 41 | 42 | **--context**=`name` 43 | The context `name` to apply for the given command. 44 | 45 | ## Examples 46 | 47 | Download the federated roots with flags set by `step ca bootstrap`: 48 | ```shell 49 | $ step ca federation federation.pem 50 | ``` 51 | 52 | Download the federated roots with custom flags: 53 | ```shell 54 | $ step ca federation federation.pem \ 55 | --ca-url https://ca.example.com \ 56 | --root /path/to/root_ca.crt 57 | ``` 58 | 59 | Print the federated roots using flags set by `step ca bootstrap`: 60 | ```shell 61 | $ step ca federation 62 | ``` 63 | 64 | -------------------------------------------------------------------------------- /step-cli/reference/ca/health/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca health 5 | menu: 6 | docs: 7 | parent: step ca 8 | --- 9 | 10 | ## Name 11 | **step ca health** -- get the status of the CA 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step ca health 17 | [--ca-url=] [--root=] [--context=] 18 | ``` 19 | 20 | ## Description 21 | 22 | **step ca health** makes an API request to the /health 23 | endpoint of the Step CA to check if it is running. If the CA is healthy, the 24 | response will be 'ok'. 25 | 26 | ## Options 27 | 28 | 29 | **--ca-url**=`URI` 30 | `URI` of the targeted Step Certificate Authority. 31 | 32 | **--root**=`file` 33 | The path to the PEM `file` used as the root certificate authority. 34 | 35 | **--context**=`name` 36 | The context `name` to apply for the given command. 37 | 38 | ## Examples 39 | 40 | Using the required flags: 41 | ```shell 42 | $ step ca health --ca-url https://ca.smallstep.com:8080 --root path/to/root_ca.crt 43 | ok 44 | ``` 45 | 46 | With the required flags preconfigured: 47 | 48 | **--ca-url** is set using environment variables (as STEP_CA_URL) or the default 49 | configuration file in `$STEPPATH/config/defaults.json`. 50 | 51 | **--root** is set using environment variables (as STEP_ROOT), the default 52 | configuration file in `$STEPPATH/config/defaults.json` or the default root 53 | certificate located in `$STEPPATH/certs/root_ca.crt` 54 | 55 | ```shell 56 | $ step ca health 57 | ok 58 | ``` 59 | 60 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy 5 | menu: 6 | docs: 7 | parent: step ca 8 | children: 9 | - authority 10 | - provisioner 11 | - acme 12 | --- 13 | 14 | ## Name 15 | **step ca policy** -- manage certificate issuance policies 16 | 17 | ## Usage 18 | 19 | ```raw 20 | step ca policy [arguments] [global-flags] [subcommand-flags] 21 | ``` 22 | 23 | ## Description 24 | 25 | **step ca policy** command group provides facilities for managing certificate issuance policies. 26 | 27 | ## Commands 28 | 29 | 30 | | Name | Usage | 31 | |---|---| 32 | | **[authority](authority/)** | manage certificate issuance policies for authorities | 33 | | **[provisioner](provisioner/)** | manage certificate issuance policies for provisioners | 34 | | **[acme](acme/)** | manage certificate issuance policies for ACME accounts. | 35 | 36 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/acme/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy acme 5 | menu: 6 | docs: 7 | parent: step ca policy 8 | children: 9 | - view 10 | - remove 11 | - x509 12 | --- 13 | 14 | ## Name 15 | **step ca policy acme** -- manage certificate issuance policies for ACME accounts. 16 | 17 | ## Usage 18 | 19 | ```raw 20 | step ca policy acme [arguments] [global-flags] [subcommand-flags] 21 | ``` 22 | 23 | ## Description 24 | 25 | **step ca policy acme** command group provides facilities for managing certificate issuance policies for ACME accounts. 26 | 27 | Please note that certificate issuance policies for ACME accounts are currently only supported in Certificate Manager: https://u.step.sm/cm. 28 | 29 | 30 | 31 | ## Commands 32 | 33 | 34 | | Name | Usage | 35 | |---|---| 36 | | **[view](view/)** | view current certificate issuance policy | 37 | | **[remove](remove/)** | remove certificate issuance policy | 38 | | **[x509](x509/)** | manage X.509 certificate issuance policies | 39 | 40 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/acme/x509/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy acme x509 5 | menu: 6 | docs: 7 | parent: step ca policy acme 8 | children: 9 | - allow 10 | - deny 11 | - wildcards 12 | --- 13 | 14 | ## Name 15 | **step ca policy acme x509** -- manage X.509 certificate issuance policies 16 | 17 | ## Usage 18 | 19 | ```raw 20 | step ca policy x509 [arguments] [global-flags] [subcommand-flags] 21 | ``` 22 | 23 | ## Description 24 | 25 | **step ca policy x509** command group provides facilities for managing X.509 certificate issuance policies. 26 | 27 | ## Commands 28 | 29 | 30 | | Name | Usage | 31 | |---|---| 32 | | **[allow](allow/)** | manage allowed names for X.509 certificate issuance policies | 33 | | **[deny](deny/)** | manage denied names for X.509 certificate issuance policies | 34 | | **[wildcards](wildcards/)** | manage wildcard name settings for X.509 certificate issuance policies | 35 | 36 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/acme/x509/allow/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy acme x509 allow 5 | menu: 6 | docs: 7 | parent: step ca policy acme x509 8 | children: 9 | - cn 10 | - dns 11 | - email 12 | - ip 13 | - uri 14 | --- 15 | 16 | ## Name 17 | **step ca policy acme x509 allow** -- manage allowed names for X.509 certificate issuance policies 18 | 19 | ## Usage 20 | 21 | ```raw 22 | step ca policy x509 allow [arguments] [global-flags] [subcommand-flags] 23 | ``` 24 | 25 | ## Description 26 | 27 | **step ca policy x509 allow** command group provides facilities for managing X.509 names to be allowed. 28 | 29 | ## Commands 30 | 31 | 32 | | Name | Usage | 33 | |---|---| 34 | | **[cn](cn/)** | add or remove common names | 35 | | **[dns](dns/)** | add or remove DNS domains | 36 | | **[email](email/)** | add or remove email addresses | 37 | | **[ip](ip/)** | add or remove ip addresses | 38 | | **[uri](uri/)** | add or remove URI domains | 39 | 40 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/acme/x509/deny/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy acme x509 deny 5 | menu: 6 | docs: 7 | parent: step ca policy acme x509 8 | children: 9 | - cn 10 | - dns 11 | - email 12 | - ip 13 | - uri 14 | --- 15 | 16 | ## Name 17 | **step ca policy acme x509 deny** -- manage denied names for X.509 certificate issuance policies 18 | 19 | ## Usage 20 | 21 | ```raw 22 | step ca policy x509 deny [arguments] [global-flags] [subcommand-flags] 23 | ``` 24 | 25 | ## Description 26 | 27 | **step ca policy x509 deny** command group provides facilities for managing X.509 names to be denied. 28 | 29 | ## Commands 30 | 31 | 32 | | Name | Usage | 33 | |---|---| 34 | | **[cn](cn/)** | add or remove common names | 35 | | **[dns](dns/)** | add or remove DNS domains | 36 | | **[email](email/)** | add or remove email addresses | 37 | | **[ip](ip/)** | add or remove ip addresses | 38 | | **[uri](uri/)** | add or remove URI domains | 39 | 40 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/acme/x509/wildcards/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy acme x509 wildcards 5 | menu: 6 | docs: 7 | parent: step ca policy acme x509 8 | children: 9 | - allow 10 | - deny 11 | --- 12 | 13 | ## Name 14 | **step ca policy acme x509 wildcards** -- manage wildcard name settings for X.509 certificate issuance policies 15 | 16 | ## Usage 17 | 18 | ```raw 19 | step ca policy x509 wildcards 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ca policy x509 wildcards** command group provides facilities for managing X.509 wildcard names. 25 | 26 | ## Commands 27 | 28 | 29 | | Name | Usage | 30 | |---|---| 31 | | **[allow](allow/)** | allow wildcard names in X.509 certificate issuance policies | 32 | | **[deny](deny/)** | deny wildcard names in X.509 certificate issuance policies | 33 | 34 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/authority/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy authority 5 | menu: 6 | docs: 7 | parent: step ca policy 8 | children: 9 | - view 10 | - remove 11 | - x509 12 | - ssh 13 | --- 14 | 15 | ## Name 16 | **step ca policy authority** -- manage certificate issuance policies for authorities 17 | 18 | ## Usage 19 | 20 | ```raw 21 | step ca policy authority [arguments] [global-flags] [subcommand-flags] 22 | ``` 23 | 24 | ## Description 25 | 26 | **step ca policy authority** command group provides facilities for managing certificate issuance policies for authorities. 27 | 28 | ## Commands 29 | 30 | 31 | | Name | Usage | 32 | |---|---| 33 | | **[view](view/)** | view current certificate issuance policy | 34 | | **[remove](remove/)** | remove certificate issuance policy | 35 | | **[x509](x509/)** | manage X.509 certificate issuance policies | 36 | | **[ssh](ssh/)** | manage SSH certificate issuance policies | 37 | 38 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/authority/ssh/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy authority ssh 5 | menu: 6 | docs: 7 | parent: step ca policy authority 8 | children: 9 | - host 10 | - user 11 | --- 12 | 13 | ## Name 14 | **step ca policy authority ssh** -- manage SSH certificate issuance policies 15 | 16 | ## Usage 17 | 18 | ```raw 19 | step ca policy ssh [arguments] [global-flags] [subcommand-flags] 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ca policy ssh** command group provides facilities for managing SSH certificate issuance policies. 25 | 26 | ## Commands 27 | 28 | 29 | | Name | Usage | 30 | |---|---| 31 | | **[host](host/)** | manage SSH host certificate issuance policies | 32 | | **[user](user/)** | manage SSH user certificate issuance policies | 33 | 34 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/authority/ssh/host/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy authority ssh host 5 | menu: 6 | docs: 7 | parent: step ca policy authority ssh 8 | children: 9 | - allow 10 | - deny 11 | --- 12 | 13 | ## Name 14 | **step ca policy authority ssh host** -- manage SSH host certificate issuance policies 15 | 16 | ## Usage 17 | 18 | ```raw 19 | step ca policy ssh host [arguments] [global-flags] [subcommand-flags] 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ca policy ssh host** command group provides facilities for managing SSH host certificate issuance policies. 25 | 26 | ## Commands 27 | 28 | 29 | | Name | Usage | 30 | |---|---| 31 | | **[allow](allow/)** | manage allowed SSH host certificate principals | 32 | | **[deny](deny/)** | manage denied dSSH host certificate principals | 33 | 34 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/authority/ssh/host/allow/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy authority ssh host allow 5 | menu: 6 | docs: 7 | parent: step ca policy authority ssh host 8 | children: 9 | - dns 10 | - email 11 | - principal 12 | --- 13 | 14 | ## Name 15 | **step ca policy authority ssh host allow** -- manage allowed SSH host certificate principals 16 | 17 | ## Usage 18 | 19 | ```raw 20 | step ca policy ssh host allow [arguments] [global-flags] [subcommand-flags] 21 | ``` 22 | 23 | ## Description 24 | 25 | **step ca policy ssh host allow** command group provides facilities for managing SSH host certificate principals to be allowed. 26 | 27 | ## Commands 28 | 29 | 30 | | Name | Usage | 31 | |---|---| 32 | | **[dns](dns/)** | add or remove DNS domains | 33 | | **[email](email/)** | add or remove email addresses | 34 | | **[principal](principal/)** | add or remove principals | 35 | 36 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/authority/ssh/host/deny/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy authority ssh host deny 5 | menu: 6 | docs: 7 | parent: step ca policy authority ssh host 8 | children: 9 | - dns 10 | - email 11 | - principal 12 | --- 13 | 14 | ## Name 15 | **step ca policy authority ssh host deny** -- manage denied dSSH host certificate principals 16 | 17 | ## Usage 18 | 19 | ```raw 20 | step ca policy ssh host deny [arguments] [global-flags] [subcommand-flags] 21 | ``` 22 | 23 | ## Description 24 | 25 | **step ca policy ssh host deny** command group provides facilities for managing SSH host certificate principals to be denied. 26 | 27 | ## Commands 28 | 29 | 30 | | Name | Usage | 31 | |---|---| 32 | | **[dns](dns/)** | add or remove DNS domains | 33 | | **[email](email/)** | add or remove email addresses | 34 | | **[principal](principal/)** | add or remove principals | 35 | 36 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/authority/ssh/user/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy authority ssh user 5 | menu: 6 | docs: 7 | parent: step ca policy authority ssh 8 | children: 9 | - allow 10 | - deny 11 | --- 12 | 13 | ## Name 14 | **step ca policy authority ssh user** -- manage SSH user certificate issuance policies 15 | 16 | ## Usage 17 | 18 | ```raw 19 | step ca policy ssh user [arguments] [global-flags] [subcommand-flags] 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ca policy ssh user** command group provides facilities for managing SSH user certificate issuance policies. 25 | 26 | ## Commands 27 | 28 | 29 | | Name | Usage | 30 | |---|---| 31 | | **[allow](allow/)** | manage allowed SSH user certificate principals | 32 | | **[deny](deny/)** | manage denied SSH user certificate principals | 33 | 34 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/authority/ssh/user/allow/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy authority ssh user allow 5 | menu: 6 | docs: 7 | parent: step ca policy authority ssh user 8 | children: 9 | - email 10 | - principal 11 | --- 12 | 13 | ## Name 14 | **step ca policy authority ssh user allow** -- manage allowed SSH user certificate principals 15 | 16 | ## Usage 17 | 18 | ```raw 19 | step ca policy ssh user allow [arguments] [global-flags] [subcommand-flags] 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ca policy ssh user allow** command group provides facilities for managing SSH user certificate principals to be allowed. 25 | 26 | ## Commands 27 | 28 | 29 | | Name | Usage | 30 | |---|---| 31 | | **[email](email/)** | add or remove email addresses | 32 | | **[principal](principal/)** | add or remove principals | 33 | 34 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/authority/ssh/user/deny/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy authority ssh user deny 5 | menu: 6 | docs: 7 | parent: step ca policy authority ssh user 8 | children: 9 | - email 10 | - principal 11 | --- 12 | 13 | ## Name 14 | **step ca policy authority ssh user deny** -- manage denied SSH user certificate principals 15 | 16 | ## Usage 17 | 18 | ```raw 19 | step ca policy ssh user deny [arguments] [global-flags] [subcommand-flags] 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ca policy ssh user deny** command group provides facilities for managing SSH user certificate principals to be denied. 25 | 26 | ## Commands 27 | 28 | 29 | | Name | Usage | 30 | |---|---| 31 | | **[email](email/)** | add or remove email addresses | 32 | | **[principal](principal/)** | add or remove principals | 33 | 34 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/authority/x509/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy authority x509 5 | menu: 6 | docs: 7 | parent: step ca policy authority 8 | children: 9 | - allow 10 | - deny 11 | - wildcards 12 | --- 13 | 14 | ## Name 15 | **step ca policy authority x509** -- manage X.509 certificate issuance policies 16 | 17 | ## Usage 18 | 19 | ```raw 20 | step ca policy x509 [arguments] [global-flags] [subcommand-flags] 21 | ``` 22 | 23 | ## Description 24 | 25 | **step ca policy x509** command group provides facilities for managing X.509 certificate issuance policies. 26 | 27 | ## Commands 28 | 29 | 30 | | Name | Usage | 31 | |---|---| 32 | | **[allow](allow/)** | manage allowed names for X.509 certificate issuance policies | 33 | | **[deny](deny/)** | manage denied names for X.509 certificate issuance policies | 34 | | **[wildcards](wildcards/)** | manage wildcard name settings for X.509 certificate issuance policies | 35 | 36 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/authority/x509/allow/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy authority x509 allow 5 | menu: 6 | docs: 7 | parent: step ca policy authority x509 8 | children: 9 | - cn 10 | - dns 11 | - email 12 | - ip 13 | - uri 14 | --- 15 | 16 | ## Name 17 | **step ca policy authority x509 allow** -- manage allowed names for X.509 certificate issuance policies 18 | 19 | ## Usage 20 | 21 | ```raw 22 | step ca policy x509 allow [arguments] [global-flags] [subcommand-flags] 23 | ``` 24 | 25 | ## Description 26 | 27 | **step ca policy x509 allow** command group provides facilities for managing X.509 names to be allowed. 28 | 29 | ## Commands 30 | 31 | 32 | | Name | Usage | 33 | |---|---| 34 | | **[cn](cn/)** | add or remove common names | 35 | | **[dns](dns/)** | add or remove DNS domains | 36 | | **[email](email/)** | add or remove email addresses | 37 | | **[ip](ip/)** | add or remove ip addresses | 38 | | **[uri](uri/)** | add or remove URI domains | 39 | 40 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/authority/x509/deny/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy authority x509 deny 5 | menu: 6 | docs: 7 | parent: step ca policy authority x509 8 | children: 9 | - cn 10 | - dns 11 | - email 12 | - ip 13 | - uri 14 | --- 15 | 16 | ## Name 17 | **step ca policy authority x509 deny** -- manage denied names for X.509 certificate issuance policies 18 | 19 | ## Usage 20 | 21 | ```raw 22 | step ca policy x509 deny [arguments] [global-flags] [subcommand-flags] 23 | ``` 24 | 25 | ## Description 26 | 27 | **step ca policy x509 deny** command group provides facilities for managing X.509 names to be denied. 28 | 29 | ## Commands 30 | 31 | 32 | | Name | Usage | 33 | |---|---| 34 | | **[cn](cn/)** | add or remove common names | 35 | | **[dns](dns/)** | add or remove DNS domains | 36 | | **[email](email/)** | add or remove email addresses | 37 | | **[ip](ip/)** | add or remove ip addresses | 38 | | **[uri](uri/)** | add or remove URI domains | 39 | 40 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/authority/x509/wildcards/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy authority x509 wildcards 5 | menu: 6 | docs: 7 | parent: step ca policy authority x509 8 | children: 9 | - allow 10 | - deny 11 | --- 12 | 13 | ## Name 14 | **step ca policy authority x509 wildcards** -- manage wildcard name settings for X.509 certificate issuance policies 15 | 16 | ## Usage 17 | 18 | ```raw 19 | step ca policy x509 wildcards 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ca policy x509 wildcards** command group provides facilities for managing X.509 wildcard names. 25 | 26 | ## Commands 27 | 28 | 29 | | Name | Usage | 30 | |---|---| 31 | | **[allow](allow/)** | allow wildcard names in X.509 certificate issuance policies | 32 | | **[deny](deny/)** | deny wildcard names in X.509 certificate issuance policies | 33 | 34 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/provisioner/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy provisioner 5 | menu: 6 | docs: 7 | parent: step ca policy 8 | children: 9 | - view 10 | - remove 11 | - x509 12 | - ssh 13 | --- 14 | 15 | ## Name 16 | **step ca policy provisioner** -- manage certificate issuance policies for provisioners 17 | 18 | ## Usage 19 | 20 | ```raw 21 | step ca policy provisioner [arguments] [global-flags] [subcommand-flags] 22 | ``` 23 | 24 | ## Description 25 | 26 | **step ca policy provisioner** command group provides facilities for managing certificate issuance policies for provisioners. 27 | 28 | Please note that certificate issuance policies on the provisioner level are currently only supported in Certificate Manager: https://u.step.sm/cm. 29 | 30 | 31 | 32 | ## Commands 33 | 34 | 35 | | Name | Usage | 36 | |---|---| 37 | | **[view](view/)** | view current certificate issuance policy | 38 | | **[remove](remove/)** | remove certificate issuance policy | 39 | | **[x509](x509/)** | manage X.509 certificate issuance policies | 40 | | **[ssh](ssh/)** | manage SSH certificate issuance policies | 41 | 42 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/provisioner/ssh/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy provisioner ssh 5 | menu: 6 | docs: 7 | parent: step ca policy provisioner 8 | children: 9 | - host 10 | - user 11 | --- 12 | 13 | ## Name 14 | **step ca policy provisioner ssh** -- manage SSH certificate issuance policies 15 | 16 | ## Usage 17 | 18 | ```raw 19 | step ca policy ssh [arguments] [global-flags] [subcommand-flags] 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ca policy ssh** command group provides facilities for managing SSH certificate issuance policies. 25 | 26 | ## Commands 27 | 28 | 29 | | Name | Usage | 30 | |---|---| 31 | | **[host](host/)** | manage SSH host certificate issuance policies | 32 | | **[user](user/)** | manage SSH user certificate issuance policies | 33 | 34 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/provisioner/ssh/host/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy provisioner ssh host 5 | menu: 6 | docs: 7 | parent: step ca policy provisioner ssh 8 | children: 9 | - allow 10 | - deny 11 | --- 12 | 13 | ## Name 14 | **step ca policy provisioner ssh host** -- manage SSH host certificate issuance policies 15 | 16 | ## Usage 17 | 18 | ```raw 19 | step ca policy ssh host [arguments] [global-flags] [subcommand-flags] 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ca policy ssh host** command group provides facilities for managing SSH host certificate issuance policies. 25 | 26 | ## Commands 27 | 28 | 29 | | Name | Usage | 30 | |---|---| 31 | | **[allow](allow/)** | manage allowed SSH host certificate principals | 32 | | **[deny](deny/)** | manage denied dSSH host certificate principals | 33 | 34 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/provisioner/ssh/host/allow/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy provisioner ssh host allow 5 | menu: 6 | docs: 7 | parent: step ca policy provisioner ssh host 8 | children: 9 | - dns 10 | - email 11 | - principal 12 | --- 13 | 14 | ## Name 15 | **step ca policy provisioner ssh host allow** -- manage allowed SSH host certificate principals 16 | 17 | ## Usage 18 | 19 | ```raw 20 | step ca policy ssh host allow [arguments] [global-flags] [subcommand-flags] 21 | ``` 22 | 23 | ## Description 24 | 25 | **step ca policy ssh host allow** command group provides facilities for managing SSH host certificate principals to be allowed. 26 | 27 | ## Commands 28 | 29 | 30 | | Name | Usage | 31 | |---|---| 32 | | **[dns](dns/)** | add or remove DNS domains | 33 | | **[email](email/)** | add or remove email addresses | 34 | | **[principal](principal/)** | add or remove principals | 35 | 36 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/provisioner/ssh/host/deny/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy provisioner ssh host deny 5 | menu: 6 | docs: 7 | parent: step ca policy provisioner ssh host 8 | children: 9 | - dns 10 | - email 11 | - principal 12 | --- 13 | 14 | ## Name 15 | **step ca policy provisioner ssh host deny** -- manage denied dSSH host certificate principals 16 | 17 | ## Usage 18 | 19 | ```raw 20 | step ca policy ssh host deny [arguments] [global-flags] [subcommand-flags] 21 | ``` 22 | 23 | ## Description 24 | 25 | **step ca policy ssh host deny** command group provides facilities for managing SSH host certificate principals to be denied. 26 | 27 | ## Commands 28 | 29 | 30 | | Name | Usage | 31 | |---|---| 32 | | **[dns](dns/)** | add or remove DNS domains | 33 | | **[email](email/)** | add or remove email addresses | 34 | | **[principal](principal/)** | add or remove principals | 35 | 36 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/provisioner/ssh/user/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy provisioner ssh user 5 | menu: 6 | docs: 7 | parent: step ca policy provisioner ssh 8 | children: 9 | - allow 10 | - deny 11 | --- 12 | 13 | ## Name 14 | **step ca policy provisioner ssh user** -- manage SSH user certificate issuance policies 15 | 16 | ## Usage 17 | 18 | ```raw 19 | step ca policy ssh user [arguments] [global-flags] [subcommand-flags] 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ca policy ssh user** command group provides facilities for managing SSH user certificate issuance policies. 25 | 26 | ## Commands 27 | 28 | 29 | | Name | Usage | 30 | |---|---| 31 | | **[allow](allow/)** | manage allowed SSH user certificate principals | 32 | | **[deny](deny/)** | manage denied SSH user certificate principals | 33 | 34 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/provisioner/ssh/user/allow/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy provisioner ssh user allow 5 | menu: 6 | docs: 7 | parent: step ca policy provisioner ssh user 8 | children: 9 | - email 10 | - principal 11 | --- 12 | 13 | ## Name 14 | **step ca policy provisioner ssh user allow** -- manage allowed SSH user certificate principals 15 | 16 | ## Usage 17 | 18 | ```raw 19 | step ca policy ssh user allow [arguments] [global-flags] [subcommand-flags] 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ca policy ssh user allow** command group provides facilities for managing SSH user certificate principals to be allowed. 25 | 26 | ## Commands 27 | 28 | 29 | | Name | Usage | 30 | |---|---| 31 | | **[email](email/)** | add or remove email addresses | 32 | | **[principal](principal/)** | add or remove principals | 33 | 34 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/provisioner/ssh/user/deny/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy provisioner ssh user deny 5 | menu: 6 | docs: 7 | parent: step ca policy provisioner ssh user 8 | children: 9 | - email 10 | - principal 11 | --- 12 | 13 | ## Name 14 | **step ca policy provisioner ssh user deny** -- manage denied SSH user certificate principals 15 | 16 | ## Usage 17 | 18 | ```raw 19 | step ca policy ssh user deny [arguments] [global-flags] [subcommand-flags] 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ca policy ssh user deny** command group provides facilities for managing SSH user certificate principals to be denied. 25 | 26 | ## Commands 27 | 28 | 29 | | Name | Usage | 30 | |---|---| 31 | | **[email](email/)** | add or remove email addresses | 32 | | **[principal](principal/)** | add or remove principals | 33 | 34 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/provisioner/x509/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy provisioner x509 5 | menu: 6 | docs: 7 | parent: step ca policy provisioner 8 | children: 9 | - allow 10 | - deny 11 | - wildcards 12 | --- 13 | 14 | ## Name 15 | **step ca policy provisioner x509** -- manage X.509 certificate issuance policies 16 | 17 | ## Usage 18 | 19 | ```raw 20 | step ca policy x509 [arguments] [global-flags] [subcommand-flags] 21 | ``` 22 | 23 | ## Description 24 | 25 | **step ca policy x509** command group provides facilities for managing X.509 certificate issuance policies. 26 | 27 | ## Commands 28 | 29 | 30 | | Name | Usage | 31 | |---|---| 32 | | **[allow](allow/)** | manage allowed names for X.509 certificate issuance policies | 33 | | **[deny](deny/)** | manage denied names for X.509 certificate issuance policies | 34 | | **[wildcards](wildcards/)** | manage wildcard name settings for X.509 certificate issuance policies | 35 | 36 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/provisioner/x509/allow/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy provisioner x509 allow 5 | menu: 6 | docs: 7 | parent: step ca policy provisioner x509 8 | children: 9 | - cn 10 | - dns 11 | - email 12 | - ip 13 | - uri 14 | --- 15 | 16 | ## Name 17 | **step ca policy provisioner x509 allow** -- manage allowed names for X.509 certificate issuance policies 18 | 19 | ## Usage 20 | 21 | ```raw 22 | step ca policy x509 allow [arguments] [global-flags] [subcommand-flags] 23 | ``` 24 | 25 | ## Description 26 | 27 | **step ca policy x509 allow** command group provides facilities for managing X.509 names to be allowed. 28 | 29 | ## Commands 30 | 31 | 32 | | Name | Usage | 33 | |---|---| 34 | | **[cn](cn/)** | add or remove common names | 35 | | **[dns](dns/)** | add or remove DNS domains | 36 | | **[email](email/)** | add or remove email addresses | 37 | | **[ip](ip/)** | add or remove ip addresses | 38 | | **[uri](uri/)** | add or remove URI domains | 39 | 40 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/provisioner/x509/deny/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy provisioner x509 deny 5 | menu: 6 | docs: 7 | parent: step ca policy provisioner x509 8 | children: 9 | - cn 10 | - dns 11 | - email 12 | - ip 13 | - uri 14 | --- 15 | 16 | ## Name 17 | **step ca policy provisioner x509 deny** -- manage denied names for X.509 certificate issuance policies 18 | 19 | ## Usage 20 | 21 | ```raw 22 | step ca policy x509 deny [arguments] [global-flags] [subcommand-flags] 23 | ``` 24 | 25 | ## Description 26 | 27 | **step ca policy x509 deny** command group provides facilities for managing X.509 names to be denied. 28 | 29 | ## Commands 30 | 31 | 32 | | Name | Usage | 33 | |---|---| 34 | | **[cn](cn/)** | add or remove common names | 35 | | **[dns](dns/)** | add or remove DNS domains | 36 | | **[email](email/)** | add or remove email addresses | 37 | | **[ip](ip/)** | add or remove ip addresses | 38 | | **[uri](uri/)** | add or remove URI domains | 39 | 40 | -------------------------------------------------------------------------------- /step-cli/reference/ca/policy/provisioner/x509/wildcards/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca policy provisioner x509 wildcards 5 | menu: 6 | docs: 7 | parent: step ca policy provisioner x509 8 | children: 9 | - allow 10 | - deny 11 | --- 12 | 13 | ## Name 14 | **step ca policy provisioner x509 wildcards** -- manage wildcard name settings for X.509 certificate issuance policies 15 | 16 | ## Usage 17 | 18 | ```raw 19 | step ca policy x509 wildcards 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ca policy x509 wildcards** command group provides facilities for managing X.509 wildcard names. 25 | 26 | ## Commands 27 | 28 | 29 | | Name | Usage | 30 | |---|---| 31 | | **[allow](allow/)** | allow wildcard names in X.509 certificate issuance policies | 32 | | **[deny](deny/)** | deny wildcard names in X.509 certificate issuance policies | 33 | 34 | -------------------------------------------------------------------------------- /step-cli/reference/ca/provisioner/jwe-key/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca provisioner jwe-key 5 | menu: 6 | docs: 7 | parent: step ca provisioner 8 | --- 9 | 10 | ## Name 11 | **step ca provisioner jwe-key** -- retrieve and print a provisioning key in the CA 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step ca provisioner jwe-key 17 | [--ca-url=] [--root=] [--context=] 18 | ``` 19 | 20 | ## Description 21 | 22 | **step ca provisioner jwe-key** returns the encrypted 23 | private jwk for the given key-id. 24 | 25 | ## Options 26 | 27 | 28 | **--ca-url**=`URI` 29 | `URI` of the targeted Step Certificate Authority. 30 | 31 | **--root**=`file` 32 | The path to the PEM `file` used as the root certificate authority. 33 | 34 | **--context**=`name` 35 | The context `name` to apply for the given command. 36 | 37 | ## Examples 38 | 39 | Retrieve the encrypted private jwk for the given key-id: 40 | ```shell 41 | $ step ca provisioner jwe-key 1234 --ca-url https://127.0.0.1 --root ./root.crt 42 | ``` 43 | 44 | 45 | -------------------------------------------------------------------------------- /step-cli/reference/ca/provisioner/list/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca provisioner list 5 | menu: 6 | docs: 7 | parent: step ca provisioner 8 | --- 9 | 10 | ## Name 11 | **step ca provisioner list** -- list provisioners configured in the CA 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step ca provisioner list 17 | [--ca-url=] [--root=] [--context=] 18 | ``` 19 | 20 | ## Description 21 | 22 | **step ca provisioner list** lists the provisioners configured 23 | in the CA. 24 | 25 | ## Options 26 | 27 | 28 | **--ca-url**=`URI` 29 | `URI` of the targeted Step Certificate Authority. 30 | 31 | **--root**=`file` 32 | The path to the PEM `file` used as the root certificate authority. 33 | 34 | **--context**=`name` 35 | The context `name` to apply for the given command. 36 | 37 | ## Examples 38 | 39 | Prints a JSON list with active provisioners: 40 | ```shell 41 | $ step ca provisioner list 42 | ``` 43 | 44 | -------------------------------------------------------------------------------- /step-cli/reference/ca/provisioner/remove/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca provisioner remove 5 | menu: 6 | docs: 7 | parent: step ca provisioner 8 | --- 9 | 10 | ## Name 11 | **step ca provisioner remove** -- remove a provisioner from the CA configuration 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step ca provisioner remove 17 | [--admin-cert=] [--admin-key=] [--admin-subject=] 18 | [--admin-provisioner=] [--admin-password-file=] 19 | [--ca-url=] [--root=] [--context=] [--ca-config=] 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ca provisioner remove** removes a provisioner from the CA configuration. 25 | 26 | ## Options 27 | 28 | 29 | **--admin-cert**=`chain` 30 | Admin certificate (`chain`) in PEM format to store in the 'x5c' header of a JWT. 31 | 32 | **--admin-key**=`file` 33 | Private key `file`, used to sign a JWT, corresponding to the admin certificate that will 34 | be stored in the 'x5c' header. 35 | 36 | **--admin-subject**=`subject`, **--admin-name**=`subject` 37 | The admin `subject` to use for generating admin credentials. 38 | 39 | **--admin-provisioner**=`name`, **--admin-issuer**=`name` 40 | The provisioner `name` to use for generating admin credentials. 41 | 42 | **--admin-password-file**=`file`, **--password-file**=`file` 43 | The path to the `file` containing the password to decrypt the one-time token 44 | generating key. 45 | 46 | **--ca-url**=`URI` 47 | `URI` of the targeted Step Certificate Authority. 48 | 49 | **--root**=`file` 50 | The path to the PEM `file` used as the root certificate authority. 51 | 52 | **--context**=`name` 53 | The context `name` to apply for the given command. 54 | 55 | **--ca-config**=`file` 56 | The certificate authority configuration `file`. Defaults to 57 | $(step path)/config/ca.json 58 | 59 | ## Examples 60 | 61 | Remove provisioner by name: 62 | ```shell 63 | $ step ca provisioner remove acme 64 | ``` 65 | 66 | Remove provisioner from a ca.json that is not in the default location: 67 | ```shell 68 | $ step ca provisioner remove acme --ca-config /path/to/ca.json 69 | ``` 70 | 71 | -------------------------------------------------------------------------------- /step-cli/reference/ca/provisioner/webhook/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca provisioner webhook 5 | menu: 6 | docs: 7 | parent: step ca provisioner 8 | children: 9 | - add 10 | - update 11 | - remove 12 | --- 13 | 14 | ## Name 15 | **step ca provisioner webhook** -- create and manage webhooks for a provisioner 16 | 17 | ## Usage 18 | 19 | ```raw 20 | step ca provisioner webhook [arguments] [global-flags] [subcommand-flags] 21 | ``` 22 | 23 | ## Description 24 | 25 | **step ca provisioner webhook** command group provides facilities for managing the webhooks attached to a provisioner 26 | 27 | Administrators can attach webhooks to provisioners to retrieve additional data that will be available when rendering certificate templates. 28 | Webhooks can also be used to disallow signing certificates for unknown entities. 29 | 30 | Any data returned from the webhook server will be added to the template context under the path "Webhooks.`name`". 31 | Implementations of webhook servers must conform to the step-ca documentation at https://smallstep.com/docs/step-ca/templates for parsing and verifying request bodies and forming valid response bodies. 32 | 33 | ## Examples 34 | 35 | Add a new webhook to a provisioner: 36 | ```shell 37 | step ca provisioner webhook add my_provisioner my_webhook --url https://example.com 38 | ``` 39 | 40 | Change a webhook's url: 41 | ```shell 42 | step ca provisioner webhook update my_provisioner my_webhook --url https://example.com 43 | ``` 44 | 45 | Remove a webhook: 46 | ```shell 47 | step ca provisioner webhook remove my_provisioner my_webhook 48 | ``` 49 | 50 | 51 | ## Commands 52 | 53 | 54 | | Name | Usage | 55 | |---|---| 56 | | **[add](add/)** | add a webhook to a provisioner | 57 | | **[update](update/)** | update a webhook attached to a provisioner | 58 | | **[remove](remove/)** | remove a webhook from a provisioner | 59 | 60 | -------------------------------------------------------------------------------- /step-cli/reference/ca/provisioner/webhook/remove/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca provisioner webhook remove 5 | menu: 6 | docs: 7 | parent: step ca provisioner webhook 8 | --- 9 | 10 | ## Name 11 | **step ca provisioner webhook remove** -- remove a webhook from a provisioner 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step ca provisioner webhook remove 17 | [--admin-cert=] [--admin-key=] [--admin-subject=] 18 | [--admin-provisioner=] [--admin-password-file=] 19 | [--ca-url=] [--root=] [--context=] [--ca-config=] 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ca provisioner webhook remove** removes a webhook from a provisioner. 25 | 26 | ## Positional arguments 27 | 28 | `provisioner_name` 29 | The name of the provisioner. 30 | 31 | `webhook_name` 32 | The name of the webhook. 33 | 34 | ## Options 35 | 36 | 37 | **--admin-cert**=`chain` 38 | Admin certificate (`chain`) in PEM format to store in the 'x5c' header of a JWT. 39 | 40 | **--admin-key**=`file` 41 | Private key `file`, used to sign a JWT, corresponding to the admin certificate that will 42 | be stored in the 'x5c' header. 43 | 44 | **--admin-subject**=`subject`, **--admin-name**=`subject` 45 | The admin `subject` to use for generating admin credentials. 46 | 47 | **--admin-provisioner**=`name`, **--admin-issuer**=`name` 48 | The provisioner `name` to use for generating admin credentials. 49 | 50 | **--admin-password-file**=`file`, **--password-file**=`file` 51 | The path to the `file` containing the password to decrypt the one-time token 52 | generating key. 53 | 54 | **--ca-url**=`URI` 55 | `URI` of the targeted Step Certificate Authority. 56 | 57 | **--root**=`file` 58 | The path to the PEM `file` used as the root certificate authority. 59 | 60 | **--context**=`name` 61 | The context `name` to apply for the given command. 62 | 63 | **--ca-config**=`file` 64 | The certificate authority configuration `file`. Defaults to 65 | $(step path)/config/ca.json 66 | 67 | ## Examples 68 | 69 | Remove a webhook: 70 | ```shell 71 | step ca provisioner webhook remove my_provisioner my_webhook 72 | ``` 73 | 74 | -------------------------------------------------------------------------------- /step-cli/reference/ca/root/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca root 5 | menu: 6 | docs: 7 | parent: step ca 8 | --- 9 | 10 | ## Name 11 | **step ca root** -- download and validate the root certificate 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step ca root [] 17 | [--ca-url=] [--fingerprint=] [--context=] 18 | ``` 19 | 20 | ## Description 21 | 22 | **step ca root** downloads and validates the root certificate from the 23 | certificate authority. 24 | 25 | ## Positional arguments 26 | 27 | `root-file` 28 | File to write root certificate (PEM format) 29 | 30 | ## Options 31 | 32 | 33 | **-f**, **--force** 34 | Force the overwrite of files without asking. 35 | 36 | **--fingerprint**=`fingerprint` 37 | The `fingerprint` of the targeted root certificate. 38 | 39 | **--ca-url**=`URI` 40 | `URI` of the targeted Step Certificate Authority. 41 | 42 | **--context**=`name` 43 | The context `name` to apply for the given command. 44 | 45 | ## Examples 46 | 47 | Get the root fingerprint in the CA: 48 | ```shell 49 | $ step certificate fingerprint /path/to/root_ca.crt 50 | 0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3 51 | ``` 52 | 53 | Download the root certificate from the configured certificate authority: 54 | ```shell 55 | $ step ca root root_ca.crt \ 56 | --fingerprint 0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3 57 | ``` 58 | 59 | Download the root certificate using a given certificate authority: 60 | ```shell 61 | $ step ca root root_ca.crt \ 62 | --ca-url https://ca.smallstep.com:9000 \ 63 | --fingerprint 0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3 64 | ``` 65 | 66 | Print the root certificate using the flags set by `step ca bootstrap`: 67 | ```shell 68 | $ step ca root 69 | ``` 70 | 71 | -------------------------------------------------------------------------------- /step-cli/reference/ca/roots/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ca roots 5 | menu: 6 | docs: 7 | parent: step ca 8 | --- 9 | 10 | ## Name 11 | **step ca roots** -- download all the root certificates 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step ca roots [] 17 | [--ca-url=] [--root=] [--context=] 18 | ``` 19 | 20 | ## Description 21 | 22 | **step ca roots** downloads a certificate bundle with all the root 23 | certificates. 24 | 25 | ## Positional arguments 26 | 27 | `roots-file` 28 | File to write all the root certificates (PEM format) 29 | 30 | ## Options 31 | 32 | 33 | **--ca-url**=`URI` 34 | `URI` of the targeted Step Certificate Authority. 35 | 36 | **-f**, **--force** 37 | Force the overwrite of files without asking. 38 | 39 | **--root**=`file` 40 | The path to the PEM `file` used as the root certificate authority. 41 | 42 | **--context**=`name` 43 | The context `name` to apply for the given command. 44 | 45 | ## Examples 46 | 47 | Download the roots with flags set by `step ca bootstrap`: 48 | ```shell 49 | $ step ca roots roots.pem 50 | ``` 51 | 52 | Download the roots with custom flags: 53 | ```shell 54 | $ step ca roots roots.pem \ 55 | --ca-url https://ca.example.com \ 56 | --root /path/to/root_ca.crt 57 | ``` 58 | 59 | Print the roots using flags set by `step ca bootstrap`: 60 | ```shell 61 | $ step ca roots 62 | ``` 63 | 64 | -------------------------------------------------------------------------------- /step-cli/reference/certificate/bundle/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step certificate bundle 5 | menu: 6 | docs: 7 | parent: step certificate 8 | --- 9 | 10 | ## Name 11 | **step certificate bundle** -- bundle a certificate with intermediate certificate(s) needed for certificate path validation 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step certificate bundle 17 | ``` 18 | 19 | ## Description 20 | 21 | **step certificate bundle** bundles a certificate 22 | with any intermediates necessary to validate the certificate. 23 | 24 | ## Positional arguments 25 | 26 | `crt-file` 27 | The path to a leaf certificate to bundle with issuing certificate(s). 28 | 29 | `ca` 30 | The path to the Certificate Authority issuing certificate. 31 | 32 | `bundle-file` 33 | The path to write the bundle. 34 | 35 | ## Options 36 | 37 | 38 | **-f**, **--force** 39 | Force the overwrite of files without asking. 40 | 41 | ## Exit codes 42 | 43 | This command returns 0 on success and >0 if any error occurs. 44 | 45 | ## Examples 46 | 47 | Bundle a certificate with the intermediate certificate authority (issuer): 48 | 49 | ```shell 50 | $ step certificate bundle foo.crt intermediate-ca.crt foo-bundle.crt 51 | ``` 52 | 53 | 54 | -------------------------------------------------------------------------------- /step-cli/reference/certificate/format/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step certificate format 5 | menu: 6 | docs: 7 | parent: step certificate 8 | --- 9 | 10 | ## Name 11 | **step certificate format** -- reformat certificate 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step certificate format [--out=] 17 | ``` 18 | 19 | ## Description 20 | 21 | **step certificate format** prints the certificate or CSR in a different format. 22 | 23 | Only 2 formats are currently supported; PEM and ASN.1 DER. This tool will convert 24 | a certificate or CSR in one format to the other. 25 | 26 | ## Positional arguments 27 | 28 | `crt-file` 29 | Path to a certificate or CSR file. 30 | 31 | ## Options 32 | 33 | 34 | **--out**=`value` 35 | Path to write the reformatted result. 36 | 37 | **-f**, **--force** 38 | Force the overwrite of files without asking. 39 | 40 | ## Exit codes 41 | 42 | This command returns 0 on success and >0 if any error occurs. 43 | 44 | ## Examples 45 | 46 | Convert PEM format to DER: 47 | ```shell 48 | $ step certificate format foo.pem 49 | ``` 50 | 51 | Convert DER format to PEM: 52 | ```shell 53 | $ step certificate format foo.der 54 | ``` 55 | 56 | Convert PEM format to DER and write to disk: 57 | ```shell 58 | $ step certificate format foo.pem --out foo.der 59 | ``` 60 | 61 | 62 | -------------------------------------------------------------------------------- /step-cli/reference/certificate/install/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step certificate install 5 | menu: 6 | docs: 7 | parent: step certificate 8 | --- 9 | 10 | ## Name 11 | **step certificate install** -- install a root certificate in the supported trust stores 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step certificate install 17 | [--prefix=] [--all] 18 | [--java] [--firefox] [--no-system] 19 | ``` 20 | 21 | ## Description 22 | 23 | **step certificate install** installs a root certificate in 24 | the supported trust stores. 25 | 26 | Java's and Firefox's trust stores are also supported via the respective flags 27 | 28 | ## Positional arguments 29 | 30 | `crt-file` 31 | Root certificate to install in the specified trust stores. 32 | 33 | ## Options 34 | 35 | 36 | **--prefix**=`name` 37 | The prefix used to `name` the CA in the trust store. Defaults to the 38 | certificate common name. 39 | 40 | **--java** 41 | install on the Java key store 42 | 43 | **--firefox** 44 | install on the Firefox NSS security database 45 | 46 | **--no-system** 47 | disables the install on the system's default trust store 48 | 49 | **--all** 50 | install in Firefox's, Java's, and the system's default trust store 51 | 52 | ## Examples 53 | 54 | Install a root certificate in the system's default trust store: 55 | ```shell 56 | $ step certificate install root-ca.pem 57 | ``` 58 | 59 | Install a root certificate in all the supported trust stores: 60 | ```shell 61 | $ step certificate install --all root-ca.pem 62 | ``` 63 | 64 | Install a root certificate in Firefox's and the system's default trust store: 65 | ```shell 66 | $ step certificate install --firefox root-ca.pem 67 | ``` 68 | 69 | Install a root certificate in Java's and the system's default trust store: 70 | ```shell 71 | $ step certificate install --java root-ca.pem 72 | ``` 73 | 74 | Install a root certificate in Firefox's and Java's trust store, but not in the system's default trust store: 75 | ```shell 76 | $ step certificate install --firefox --java --no-system root-ca.pem 77 | ``` 78 | 79 | -------------------------------------------------------------------------------- /step-cli/reference/certificate/key/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step certificate key 5 | menu: 6 | docs: 7 | parent: step certificate 8 | --- 9 | 10 | ## Name 11 | **step certificate key** -- print public key embedded in a certificate 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step certificate key [--out=] 17 | ``` 18 | 19 | ## Description 20 | 21 | **step certificate key** prints the public key embedded in a certificate or 22 | a certificate signing request. If `crt-file` is a certificate bundle, only the 23 | first block will be taken into account. 24 | 25 | The command will print a public or a decrypted private key if `crt-file` 26 | contains only a key. 27 | 28 | ## Positional arguments 29 | 30 | `crt-file` 31 | Path to a certificate or certificate signing request (CSR). 32 | 33 | ## Options 34 | 35 | 36 | **--out**=`file`, **--output-file**=`file` 37 | The destination `file` of the public key. 38 | 39 | **-f**, **--force** 40 | Force the overwrite of files without asking. 41 | 42 | ## Examples 43 | 44 | Get the public key of a certificate: 45 | ```shell 46 | $ step certificate key certificate.crt 47 | -----BEGIN PUBLIC KEY----- 48 | MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEio9DLyuglMxakS3w00DUKdGbeXXB 49 | 2Mfg6tVofeXYan9RbvftZufiypIAVqGZqO7CR9EbkoyHb/7GcKQa5HZ9rA== 50 | -----END PUBLIC KEY----- 51 | ``` 52 | 53 | Get the public key of a CSR and save it to a file: 54 | ```shell 55 | $ step certificate key certificate.csr --out key.pem 56 | ``` 57 | 58 | -------------------------------------------------------------------------------- /step-cli/reference/certificate/uninstall/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step certificate uninstall 5 | menu: 6 | docs: 7 | parent: step certificate 8 | --- 9 | 10 | ## Name 11 | **step certificate uninstall** -- uninstall a root certificate from the supported trust stores 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step certificate uninstall 17 | [--prefix=] [--all] 18 | [--java] [--firefox] [--no-system] 19 | ``` 20 | 21 | ## Description 22 | 23 | **step certificate uninstall** uninstalls a root certificate from 24 | the supported trust stores. 25 | 26 | Java's and Firefox's trust stores are also supported via the respective flags. 27 | 28 | ## Positional arguments 29 | 30 | `crt-file` 31 | Root certificate to uninstall from the specified trust stores. 32 | 33 | ## Options 34 | 35 | 36 | **--prefix**=`name` 37 | The prefix used to `name` the CA in the trust store. Defaults to the 38 | certificate common name. 39 | 40 | **--java** 41 | uninstall from the Java key store 42 | 43 | **--firefox** 44 | uninstall from the Firefox NSS security database 45 | 46 | **--no-system** 47 | disables the uninstall from the system's default trust store 48 | 49 | **--all** 50 | uninstall from Firefox's, Java's, and the system's default trust store 51 | 52 | ## Examples 53 | 54 | Uninstall only from the system's default trust store: 55 | ```shell 56 | $ step certificate uninstall root-ca.pem 57 | ``` 58 | 59 | Uninstall a root certificate from all the supported trust stores: 60 | ```shell 61 | $ step certificate uninstall --all root-ca.pem 62 | ``` 63 | 64 | Uninstall a root certificate from Firefox's and the system's default trust store: 65 | ```shell 66 | $ step certificate uninstall --firefox root-ca.pem 67 | ``` 68 | 69 | Uninstall a root certificate from Java's and the system's default trust store: 70 | ```shell 71 | $ step certificate uninstall --java root-ca.pem 72 | ``` 73 | 74 | Uninstall a certificate from Firefox, Java, but not from the system: 75 | ```shell 76 | $ step certificate uninstall --firefox --java --no-system root-ca.pem 77 | ``` 78 | 79 | -------------------------------------------------------------------------------- /step-cli/reference/completion/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step completion 5 | menu: 6 | docs: 7 | parent: step 8 | --- 9 | 10 | ## Name 11 | **step completion** -- print the shell completion script 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step completion 17 | ``` 18 | 19 | ## Description 20 | 21 | **step completion** command prints the shell completion script. 22 | 23 | ## Positional arguments 24 | 25 | `shell` 26 | The shell program. Supports bash, zsh, and fish. 27 | 28 | ## Examples 29 | 30 | Add bash completion for the current user. 31 | ```shell 32 | $ step completion bash >> ~/.bash_completion 33 | ``` 34 | 35 | Add fish completions for the current user. 36 | ```shell 37 | $ step completion fish | source 38 | ``` 39 | 40 | -------------------------------------------------------------------------------- /step-cli/reference/context/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step context 5 | menu: 6 | docs: 7 | parent: step 8 | children: 9 | - current 10 | - list 11 | - remove 12 | - select 13 | --- 14 | 15 | ## Name 16 | **step context** -- manage certificate authority contexts 17 | 18 | ## Usage 19 | 20 | ```raw 21 | step context [global-flags] [arguments] [subcommand-flags] 22 | ``` 23 | 24 | ## Description 25 | 26 | **step context** command group provides facilities to manage certificate 27 | authority contexts. 28 | 29 | ## Examples 30 | 31 | ```shell 32 | $ cat $(step path --base)/contexts.json 33 | { 34 | "alpha-one": { 35 | "authority": "alpha-one.ca.smallstep.com", 36 | "profile": "alpha-one" 37 | }, 38 | "alpha-two": { 39 | "authority": "alpha-two.ca.smallstep.com", 40 | "profile": "alpha-two" 41 | }, 42 | "beta": { 43 | "authority": "beta.ca.smallstep.com", 44 | "profile": "beta" 45 | } 46 | } 47 | ``` 48 | 49 | Select the default certificate authority context: 50 | ```shell 51 | $ step context select alpha-one 52 | ``` 53 | 54 | List the available certificate authority contexts: 55 | ```shell 56 | $ step context list 57 | ▶ alpha-one 58 | alpha-two 59 | beta 60 | ``` 61 | 62 | ## Commands 63 | 64 | 65 | | Name | Usage | 66 | |---|---| 67 | | **[current](current/)** | current returns the name of the current context | 68 | | **[list](list/)** | list available certificate authority contexts | 69 | | **[remove](remove/)** | remove a context and all associated configuration | 70 | | **[select](select/)** | select the default certificate authority context | 71 | 72 | -------------------------------------------------------------------------------- /step-cli/reference/context/current/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step context current 5 | menu: 6 | docs: 7 | parent: step context 8 | --- 9 | 10 | ## Name 11 | **step context current** -- current returns the name of the current context 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step context current [--json] 17 | ``` 18 | 19 | ## Description 20 | 21 | **step context current** returns the name of the current context. 22 | 23 | ## Options 24 | 25 | 26 | **--json** 27 | Return stringified JSON containing the main attributes of a context. 28 | 29 | ## Examples 30 | 31 | List all certificate authority contexts: 32 | ```shell 33 | $ step context current 34 | test-ca 35 | ``` 36 | 37 | ```shell 38 | $ step context current --json 39 | {"name":"test-ca","authority":"internal.ca.smallstep.com","profile":"test-ca"} 40 | ``` 41 | 42 | -------------------------------------------------------------------------------- /step-cli/reference/context/list/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step context list 5 | menu: 6 | docs: 7 | parent: step context 8 | --- 9 | 10 | ## Name 11 | **step context list** -- list available certificate authority contexts 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step context list 17 | ``` 18 | 19 | ## Description 20 | 21 | **step context list** command lists available certificate authority contexts. 22 | 23 | ## Examples 24 | 25 | List all certificate authority contexts: 26 | ```shell 27 | $ step context list 28 | ▶ alpha-one 29 | alpha-two 30 | ssh.beta 31 | ``` 32 | -------------------------------------------------------------------------------- /step-cli/reference/context/remove/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step context remove 5 | menu: 6 | docs: 7 | parent: step context 8 | --- 9 | 10 | ## Name 11 | **step context remove** -- remove a context and all associated configuration 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step context remove [--force] 17 | ``` 18 | 19 | ## Description 20 | 21 | **step context remove** command removes a context, along 22 | with all associated configuration, from disk. 23 | 24 | ## Positional arguments 25 | 26 | `name` 27 | The name of the context to remove . 28 | 29 | ## Options 30 | 31 | 32 | **-f**, **--force** 33 | Force the overwrite of files without asking. 34 | 35 | ## Examples 36 | 37 | Remove a context: 38 | ```shell 39 | $ step context remove alpha-one 40 | ``` 41 | 42 | -------------------------------------------------------------------------------- /step-cli/reference/context/select/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step context select 5 | menu: 6 | docs: 7 | parent: step context 8 | --- 9 | 10 | ## Name 11 | **step context select** -- select the default certificate authority context 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step context select 17 | ``` 18 | 19 | ## Description 20 | 21 | **step context select** command sets the default certificate authority context. 22 | 23 | ## Examples 24 | 25 | Select the default certificate authority context: 26 | ```shell 27 | $ step context select alpha-one 28 | ``` 29 | -------------------------------------------------------------------------------- /step-cli/reference/crl/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crl 5 | menu: 6 | docs: 7 | parent: step 8 | children: 9 | - inspect 10 | --- 11 | 12 | ## Name 13 | **step crl** -- initialize and manage a certificate revocation list 14 | 15 | ## Usage 16 | 17 | ```raw 18 | step crl [arguments] [global-flags] [subcommand-flags] 19 | ``` 20 | 21 | ## Description 22 | 23 | **step crl** command group provides facilities to create, manage and inspect a 24 | certificate revocation list (CRL). 25 | 26 | ## Examples 27 | 28 | Inspect a CRL: 29 | ```shell 30 | $ step crl inspect http://ca.example.com/crls/exampleca.crl 31 | ``` 32 | 33 | ## Commands 34 | 35 | 36 | | Name | Usage | 37 | |---|---| 38 | | **[inspect](inspect/)** | print certificate revocation list (CRL) details in human-readable format | 39 | 40 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/change-pass/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto change-pass 5 | menu: 6 | docs: 7 | parent: step crypto 8 | --- 9 | 10 | ## Name 11 | **step crypto change-pass** -- change password of an encrypted private key (PEM or JWK format) 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto change-pass 17 | [--out=] [--password-file=] [--new-password-file=] 18 | [--insecure] [--no-password] 19 | ``` 20 | 21 | ## Description 22 | 23 | **step crypto change-pass** extracts and decrypts 24 | the private key from a file and encrypts and serializes the key to disk using a 25 | new password. 26 | 27 | ## Positional arguments 28 | 29 | `key-file` 30 | The PEM or JWK file with the encrypted key. 31 | 32 | ## Options 33 | 34 | 35 | **--password-file**=`file` 36 | The path to the `file` containing the password to decrypt the private key. 37 | 38 | **--new-password-file**=`file` 39 | The path to the `file` containing the password to encrypt the private key. 40 | 41 | **--out**=`file`, **--output-file**=`file` 42 | The `file` new encrypted key path. Default to overwriting the `key` positional argument 43 | 44 | **-f**, **--force** 45 | Force the overwrite of files without asking. 46 | 47 | **--insecure** 48 | 49 | 50 | **--no-password** 51 | Do not ask for a password to encrypt a private key. Sensitive key material will 52 | be written to disk unencrypted. This is not recommended. Requires **--insecure** flag. 53 | 54 | ## Examples 55 | 56 | Change password for PEM formatted key: 57 | ```shell 58 | $ step crypto change-pass key.pem 59 | ``` 60 | 61 | Remove password for PEM formatted key: 62 | ```shell 63 | $ step crypto change-pass key.pem --no-password --insecure 64 | ``` 65 | 66 | Change password for PEM formatted key and write encrypted key to different file: 67 | ```shell 68 | $ step crypto change-pass key.pem --out new-key.pem 69 | ``` 70 | 71 | Change password for JWK formatted key: 72 | ```shell 73 | $ step crypto change-pass key.jwk 74 | ``` 75 | 76 | Removed password for JWK formatted key: 77 | ```shell 78 | $ step crypto change-pass key.jwk --no-password --insecure 79 | ``` 80 | 81 | Change password for JWK formatted key: 82 | ```shell 83 | $ step crypto change-pass key.jwk --out new-key.jwk 84 | ``` 85 | 86 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/hash/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto hash 5 | menu: 6 | docs: 7 | parent: step crypto 8 | children: 9 | - digest 10 | - compare 11 | --- 12 | 13 | ## Name 14 | **step crypto hash** -- generate and check hashes of files and directories 15 | 16 | ## Usage 17 | 18 | ```raw 19 | step crypto hash [arguments] [global-flags] [subcommand-flags] 20 | ``` 21 | 22 | ## Description 23 | 24 | **step crypto hash** command group provides facilities for generating and 25 | checking hashes of files and directories. 26 | 27 | ## Examples 28 | 29 | SHA-256 digest and compare of a file: 30 | ```shell 31 | $ step crypto hash digest foo.crt 32 | 1d14bfeab8532f0fca6220f6a870d069496798e92520c4437e13b9921a3cb7f3 foo.crt 33 | 34 | $ step crypto hash compare 1d14bfeab8532f0fca6220f6a870d069496798e92520c4437e13b9921a3cb7f3 foo.crt 35 | ok 36 | ``` 37 | 38 | SHA-1 digest and compare of a directory: 39 | ```shell 40 | $ step crypto hash digest --alg sha1 config/ 41 | d419284e29382983683c294f9593183f7e00961b config/ 42 | 43 | $ step crypto hash compare --alg sha1 d419284e29382983683c294f9593183f7e00961b config 44 | ok 45 | ``` 46 | 47 | MD5 of a file: 48 | ```shell 49 | $ step crypto hash digest --alg md5 --insecure foo.crt 50 | a2c5dae8eae7d116019f0478e8b0a35a foo.crt 51 | ``` 52 | 53 | SHA-512/256 of a list of files: 54 | ```shell 55 | $ find . -type f | xargs step crypto hash digest --alg sha512-256 56 | ``` 57 | 58 | Compare a previously created checksum file: 59 | ```shell 60 | $ find path -type f | xargs step crypto hash digest --alg sha512-256 > checksums.txt 61 | 62 | $ cat checksums.txt | xargs -n 2 step crypto hash compare --alg sha512-256 63 | ``` 64 | 65 | ## Commands 66 | 67 | 68 | | Name | Usage | 69 | |---|---| 70 | | **[digest](digest/)** | generate a hash digest of a file or directory | 71 | | **[compare](compare/)** | verify the hash digest for a file or directory matches an expected value | 72 | 73 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/hash/compare/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto hash compare 5 | menu: 6 | docs: 7 | parent: step crypto hash 8 | --- 9 | 10 | ## Name 11 | **step crypto hash compare** -- verify the hash digest for a file or directory matches an expected value 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto hash compare 17 | [--alg ALGORITHM] 18 | ``` 19 | 20 | ## Description 21 | 22 | **step crypto hash compare** verifies that the expected hash value matches the 23 | computed hash value for a file or directory. 24 | 25 | For examples, see **step help crypto hash**. 26 | 27 | ## Positional arguments 28 | 29 | `hash` 30 | The expected hash digest 31 | 32 | `file-or-directory` 33 | The path to a file or directory to hash. 34 | 35 | ## Options 36 | 37 | 38 | **--alg**=`algorithm` 39 | The hash algorithm to use. 40 | 41 | `algorithm` must be one of: 42 | 43 | - **sha1** (or sha): SHA-1 produces a 160-bit hash value 44 | 45 | - **sha224**: SHA-224 produces a 224-bit hash value 46 | 47 | - **sha256** (default): SHA-256 produces a 256-bit hash value 48 | 49 | - **sha384**: SHA-384 produces a 384-bit hash value 50 | 51 | - **sha512**: SHA-512 produces a 512-bit hash value 52 | 53 | - **sha512-224**: SHA-512/224 produces a 224-bit hash value 54 | 55 | - **sha512-256**: SHA-512/256 produces a 256-bit hash value 56 | 57 | - **md5** (requires --insecure): MD5 produces a 128-bit hash value 58 | 59 | 60 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/hash/digest/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto hash digest 5 | menu: 6 | docs: 7 | parent: step crypto hash 8 | --- 9 | 10 | ## Name 11 | **step crypto hash digest** -- generate a hash digest of a file or directory 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto hash digest ... 17 | [--alg=] 18 | ``` 19 | 20 | ## Description 21 | 22 | **step crypto hash digest** generates a hash digest for a given file or 23 | directory. For a file, the output is the same as tools like 'shasum'. For 24 | directories, the tool computes a hash tree and outputs a single hash digest. 25 | 26 | For examples, see **step help crypto hash**. 27 | 28 | ## Positional arguments 29 | 30 | `file-or-directory` 31 | The path to a file or directory to hash. 32 | 33 | ## Options 34 | 35 | 36 | **--alg**=`algorithm` 37 | The hash algorithm to use. 38 | 39 | `algorithm` must be one of: 40 | 41 | - **sha1** (or sha): SHA-1 produces a 160-bit hash value 42 | 43 | - **sha224**: SHA-224 produces a 224-bit hash value 44 | 45 | - **sha256** (default): SHA-256 produces a 256-bit hash value 46 | 47 | - **sha384**: SHA-384 produces a 384-bit hash value 48 | 49 | - **sha512**: SHA-512 produces a 512-bit hash value 50 | 51 | - **sha512-224**: SHA-512/224 uses SHA-512 and truncates the output to 224 bits 52 | 53 | - **sha512-256**: SHA-512/256 uses SHA-512 and truncates the output to 256 bits 54 | 55 | - **md5** (requires --insecure): MD5 produces a 128-bit hash value 56 | 57 | 58 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/jose/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto jose 5 | menu: 6 | docs: 7 | parent: step crypto 8 | children: 9 | - format 10 | --- 11 | 12 | ## Name 13 | **step crypto jose** -- collection of JOSE utilities 14 | 15 | ## Usage 16 | 17 | ```raw 18 | step crypto jose [arguments] [global-flags] [subcommand-flags] 19 | ``` 20 | 21 | ## Commands 22 | 23 | 24 | | Name | Usage | 25 | |---|---| 26 | | **[format](format/)** | swap serialization format | 27 | 28 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/jose/format/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto jose format 5 | menu: 6 | docs: 7 | parent: step crypto jose 8 | --- 9 | 10 | ## Name 11 | **step crypto jose format** -- swap serialization format 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto jose format 17 | ``` 18 | 19 | ## Description 20 | 21 | **step crypto jose format** reads a JWT, a JWS, or a JWE from STDIN swaps the 22 | serialization of the content, from compact to JSON or from JSON to compact. 23 | 24 | ## Examples 25 | 26 | Transform a JSON encrypted message to the compact serialization format: 27 | ```shell 28 | $ echo The message | step crypto jwe encrypt --key p256.enc.pub | step crypto jose format 29 | eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6IlNTR1pNdjZyMGlHbmtsMnpKRERXS1JlaDU4R3RwTjVjT2tBZnlaaUI0enMiLCJ5IjoiLUJzQ2w5RjZNd28zRWZoTFJIeVdDbGlxU2d6T2tubzNuWW80azlPSVk0TSJ9LCJraWQiOiJHd0tSTUdXY1pWNFE2dGZZblpjZm90N090N2hjQ0t2cUJPVWljX0JoZ0gwIn0 30 | . 31 | . 32 | iJNn8SrqE8I5Bhog 33 | . 34 | NO9FfC25Ow9ogzq1.6M3Jiy_osGwlioJjXPyl9w 35 | ``` 36 | 37 | Transform a compact token to the JSON serialization format: 38 | ```shell 39 | $ step crypto jwt sign --key p256.priv.json --iss "joe" --aud "bob" \ 40 | --sub "hello" --exp $(date -v+1M +"%s") | step crypto jose format 41 | { 42 | "payload":"eyJhdWQiOiJib2IiLCJleHAiOjE1MzUyNDE4OTYsImlhdCI6MTUzMjU2MzQ5OCwiaXNzIjoiam9lIiwibmJmIjoxNTMyNTYzNDk4LCJzdWIiOiJoZWxsbyJ9", 43 | "protected":"eyJhbGciOiJFUzI1NiIsImtpZCI6IlpqR1g5N0xtY2ZsUG9sV3Zzb0FXekM1V1BXa05GRkgzUWRLTFVXOTc4aGsiLCJ0eXAiOiJKV1QifQ", 44 | "signature":"wlRDGrjQItHFu5j2H4A4T6_P5Ek00ugJXQ3iIXibsZjU96_BaqddnAqFWeKpb6xHWGRAHKtlm9bUYBfLQ8Jlsg" 45 | } 46 | ``` 47 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/jwe/decrypt/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto jwe decrypt 5 | menu: 6 | docs: 7 | parent: step crypto jwe 8 | --- 9 | 10 | ## Name 11 | **step crypto jwe decrypt** -- verify a JWE and decrypt ciphertext 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto jwe decrypt 17 | [--key=] [--jwks=] [--kid=] 18 | ``` 19 | 20 | ## Description 21 | 22 | **step crypto jwe decrypt** verifies a JWE read from STDIN and decrypts the 23 | ciphertext printing it to STDOUT. If verification fails a non-zero failure 24 | code is returned. If verification succeeds the command returns 0. 25 | 26 | For examples, see **step help crypto jwe**. 27 | 28 | ## Options 29 | 30 | 31 | **--key**=`file` 32 | The argument should be the name of a `file` 33 | containing a private JWK (or a JWK encrypted as a JWE payload) or a PEM encoded 34 | private key (or a private key encrypted using the modes described on RFC 1423 or 35 | with PBES2+PBKDF2 described in RFC 2898). 36 | 37 | **--jwks**=`jwks` 38 | The JWK Set containing the recipient's private key. The `jwks` argument should 39 | be the name of a file. The file contents should be a JWK Set or a JWE with a 40 | JWK Set payload. The **--jwks** flag requires the use of the **--kid** flag to 41 | specify which key to use. 42 | 43 | **--kid**=`kid` 44 | The ID of the recipient's private key. `kid` is a case-sensitive string. When 45 | used with **--key** the `kid` value must match the **"kid"** member of the JWK. When 46 | used with **--jwks** (a JWK Set) the KID value must match the **"kid"** member of 47 | one of the JWKs in the JWK Set. 48 | 49 | **--password-file**=`file` 50 | The path to the `file` containing the password to encrypt the keys. 51 | 52 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/jwk/keyset/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto jwk keyset 5 | menu: 6 | docs: 7 | parent: step crypto jwk 8 | children: 9 | - add 10 | - remove 11 | - list 12 | - find 13 | --- 14 | 15 | ## Name 16 | **step crypto jwk keyset** -- add, remove, and find JWKs in JWK Sets 17 | 18 | ## Usage 19 | 20 | ```raw 21 | step crypto jwk keyset [arguments] [global-flags] [subcommand-flags] 22 | ``` 23 | 24 | ## Description 25 | 26 | **step crypto jwk set** command group provides facilities for managing and 27 | inspecting JWK Sets. A is a JSON object that represents a set of JWKs. They 28 | are defined in RFC7517. 29 | 30 | A JWK Set is simply a JSON object with a "keys" member whose value is an array 31 | of JWKs. Additional members are allowed in the object. They will be preserved 32 | by this tool, but otherwise ignored. Duplicate member names are not allowed. 33 | 34 | For examples, see **step help crypto jwk**. 35 | 36 | ## Commands 37 | 38 | 39 | | Name | Usage | 40 | |---|---| 41 | | **[add](add/)** | a JWK to a JWK Set | 42 | | **[remove](remove/)** | a JWK from a JWK Set | 43 | | **[list](list/)** | key IDs of JWKs in a JWK Set | 44 | | **[find](find/)** | a JWK in a JWK Set | 45 | 46 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/jwk/keyset/add/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto jwk keyset add 5 | menu: 6 | docs: 7 | parent: step crypto jwk keyset 8 | --- 9 | 10 | ## Name 11 | **step crypto jwk keyset add** -- a JWK to a JWK Set 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto jwk keyset add 17 | ``` 18 | 19 | ## Description 20 | 21 | **step crypto jwk keyset add** reads a JWK from STDIN and adds it to the JWK 22 | Set in `jwks-file`. Modifications to `jwks-file` are in-place. The file is 23 | 'flock'd while it's being read and modified. 24 | 25 | ## Positional arguments 26 | 27 | `jwks-file` 28 | File containing a JWK Set 29 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/jwk/keyset/find/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto jwk keyset find 5 | menu: 6 | docs: 7 | parent: step crypto jwk keyset 8 | --- 9 | 10 | ## Name 11 | **step crypto jwk keyset find** -- a JWK in a JWK Set 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto jwk keyset find [--kid=] 17 | ``` 18 | 19 | ## Description 20 | 21 | **step crypto jwk keyset find** command locates the JWK with a key ID matching 22 | `kid` from the JWK Set stored in `jwks-file`. The matching JWK is printed to 23 | STDOUT. 24 | 25 | ## Positional arguments 26 | 27 | `jwks-file` 28 | File containing a JWK Set 29 | 30 | ## Options 31 | 32 | 33 | **--kid**=`kid` 34 | The key ID of the JWK to locate from the JWK Set. `kid` is a case-sensitive 35 | string. 36 | 37 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/jwk/keyset/list/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto jwk keyset list 5 | menu: 6 | docs: 7 | parent: step crypto jwk keyset 8 | --- 9 | 10 | ## Name 11 | **step crypto jwk keyset list** -- key IDs of JWKs in a JWK Set 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto jwk keyset list 17 | ``` 18 | 19 | ## Description 20 | 21 | **step crypto jwk keyset list** lists the IDs ("kid" parameters) of JWKs in a 22 | JWK Set. 23 | 24 | ## Positional arguments 25 | 26 | `jwks-file` 27 | File containing a JWK Set 28 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/jwk/keyset/remove/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto jwk keyset remove 5 | menu: 6 | docs: 7 | parent: step crypto jwk keyset 8 | --- 9 | 10 | ## Name 11 | **step crypto jwk keyset remove** -- a JWK from a JWK Set 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto jwk keyset remove [--kid=] 17 | ``` 18 | 19 | ## Description 20 | 21 | **step crypto jwk keyset remove** removes the JWK with a key ID matching `kid` 22 | from the JWK Set stored in `jwks-file`. Modifications to `jwks-file` are 23 | in-place. The file is 'flock'd while it's being read and modified. 24 | 25 | ## Positional arguments 26 | 27 | `jwks-file` 28 | File containing a JWK Set 29 | 30 | ## Options 31 | 32 | 33 | **--kid**=`kid` 34 | The key ID of the JWK to remove from the JWK Set. `kid` is a case-sensitive 35 | string. 36 | 37 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/jwk/public/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto jwk public 5 | menu: 6 | docs: 7 | parent: step crypto jwk 8 | --- 9 | 10 | ## Name 11 | **step crypto jwk public** -- extract a public JSON Web Key (JWK) from a private JWK 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto jwk public 17 | ``` 18 | 19 | ## Description 20 | 21 | **step crypto jwk public** command reads a JWK from STDIN, derives the 22 | corresponding public JWK, and prints the derived JWK to STDOUT. 23 | 24 | For examples, see **step help crypto jwk**. 25 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/jwk/thumbprint/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto jwk thumbprint 5 | menu: 6 | docs: 7 | parent: step crypto jwk 8 | --- 9 | 10 | ## Name 11 | **step crypto jwk thumbprint** -- compute thumbprint for a JWK 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto jwk thumbprint 17 | ``` 18 | 19 | ## Description 20 | 21 | **step crypto jwk thumbprint** reads a JWK from STDINT, derives the 22 | corresponding JWK Thumbprint (RFC7638), and prints the base64-urlencoded 23 | thumbprint to STDOUT. 24 | 25 | For examples, see **step help crypto jwk**. 26 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/jws/inspect/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto jws inspect 5 | menu: 6 | docs: 7 | parent: step crypto jws 8 | --- 9 | 10 | ## Name 11 | **step crypto jws inspect** -- return the decoded JWS without verification 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto jws inspect 17 | --insecure [--json] 18 | ``` 19 | 20 | ## Description 21 | 22 | **step crypto jws inspect** reads a JWS data structure from STDIN, decodes it, 23 | and outputs the payload on STDERR. Since this command does not verify the JWS 24 | you must pass **--insecure** as a misuse prevention mechanism. 25 | 26 | For examples, see **step help crypto jws**. 27 | 28 | ## Options 29 | 30 | 31 | **--json** 32 | Displays the header, payload and signature as a JSON object. The payload will 33 | be encoded using Base64. 34 | 35 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/jwt/inspect/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto jwt inspect 5 | menu: 6 | docs: 7 | parent: step crypto jwt 8 | --- 9 | 10 | ## Name 11 | **step crypto jwt inspect** -- return the decoded JWT without verification 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto jwt inspect 17 | --insecure 18 | ``` 19 | 20 | ## Description 21 | 22 | **step crypto jwt inspect** reads a JWT data structure from STDIN, decodes it, 23 | and outputs the header and payload on STDERR. Since this command does not 24 | verify the JWT you must pass **--insecure** as a misuse prevention mechanism. 25 | 26 | For examples, see **step help crypto jwt**. 27 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/kdf/compare/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto kdf compare 5 | menu: 6 | docs: 7 | parent: step crypto kdf 8 | --- 9 | 10 | ## Name 11 | **step crypto kdf compare** -- compare a plaintext value (e.g., a password) and a hash 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto kdf compare [] 17 | ``` 18 | 19 | ## Description 20 | 21 | The 'step crypto kdf compare' command compares a plaintext value (e.g., a 22 | password) with an existing KDF password hash in PHC string format. The PHC 23 | string input indicates which KDF algorithm and parameters to use. 24 | 25 | If the input matches `phc-hash` the command prints a human readable message 26 | indicating success to STDERR and returns 0. If the input does not match an 27 | error will be printed to STDERR and the command will exit with a non-zero 28 | return code. 29 | 30 | If this command is run without the optional `input` argument and STDIN is a 31 | TTY (i.e., you're running the command in an interactive terminal and not 32 | piping input to it) you'll be prompted to enter a value on STDERR. If STDIN is 33 | not a TTY it will be read without prompting. 34 | 35 | For examples, see **step help crypto kdf**. 36 | 37 | POSITIONAL ARGUMENTS 38 | 39 | `phc-hash` 40 | The KDF password hash in PHC string format. 41 | 42 | `input` 43 | The plaintext value to compare with `phc-hash`. `input` is optional and its 44 | use is not recommended. If this argument is provided the **--insecure** flag 45 | must also be provided because your (presumably secret) `input` will likely be 46 | logged and appear in places you might not expect. If omitted input is read 47 | from STDIN. 48 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/key/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto key 5 | menu: 6 | docs: 7 | parent: step crypto 8 | children: 9 | - format 10 | - public 11 | - inspect 12 | - fingerprint 13 | - sign 14 | - verify 15 | --- 16 | 17 | ## Name 18 | **step crypto key** -- manage keys 19 | 20 | ## Usage 21 | 22 | ```raw 23 | step crypto key SUBCOMMAND [ARGUMENTS] [GLOBAL_FLAGS] [SUBCOMMAND_FLAGS] 24 | ``` 25 | 26 | ## Description 27 | 28 | **step crypto key** command group provides facilities for 29 | managing cryptographic keys. 30 | 31 | ## Examples 32 | 33 | Convert PEM format to PKCS8. 34 | ```shell 35 | $ step crypto key format foo-key.pem 36 | ``` 37 | 38 | 39 | ## Commands 40 | 41 | 42 | | Name | Usage | 43 | |---|---| 44 | | **[format](format/)** | reformat a public or private key | 45 | | **[public](public/)** | print the public key from a private key or certificate | 46 | | **[inspect](inspect/)** | print key details in human readable format | 47 | | **[fingerprint](fingerprint/)** | print the fingerprint of a public key | 48 | | **[sign](sign/)** | sign a message using an asymmetric key | 49 | | **[verify](verify/)** | verify a signed message | 50 | 51 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/key/inspect/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto key inspect 5 | menu: 6 | docs: 7 | parent: step crypto key 8 | --- 9 | 10 | ## Name 11 | **step crypto key inspect** -- print key details in human readable format 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto key inspect 17 | ``` 18 | 19 | ## Description 20 | 21 | **step crypto key inspect** prints details of a public or a private key in a 22 | human readable format the public key corresponding to the given `key-file`. 23 | 24 | ## Positional arguments 25 | 26 | `key-file` 27 | Path to a public or private key. 28 | 29 | ## Options 30 | 31 | 32 | **--password-file**=`file` 33 | The path to the `file` containing passphrase to decrypt private key. 34 | 35 | ## Examples 36 | 37 | Print details of the given key: 38 | ```shell 39 | $ step crypto key inspect priv.pem 40 | ``` 41 | 42 | ## Notes 43 | 44 | This command shows the raw parameters of the keys, it does not include headers 45 | that the marshaled version of the keys might have. For example, a marshaled 46 | version an EC public key will have 0x04 in the first byte to indicate the 47 | uncompressed form specified in section 4.3.6 of ANSI X9.62. 48 | 49 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/key/public/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto key public 5 | menu: 6 | docs: 7 | parent: step crypto key 8 | --- 9 | 10 | ## Name 11 | **step crypto key public** -- print the public key from a private key or certificate 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto key public [--out=] 17 | [--password-file=] 18 | ``` 19 | 20 | ## Description 21 | 22 | **step crypto key public** outputs the public key, in PEM format, corresponding to 23 | the input `file`. 24 | 25 | ## Positional arguments 26 | 27 | `key-file` 28 | Path to a private key. 29 | 30 | ## Options 31 | 32 | 33 | **--out**=`file` 34 | The `file` to write the public key. 35 | 36 | **--password-file**=`file` 37 | The path to the `file` containing the password to encrypt or decrypt the private key. 38 | 39 | **-f**, **--force** 40 | Force the overwrite of files without asking. 41 | 42 | ## Examples 43 | 44 | Print the corresponding public key: 45 | ```shell 46 | $ step crypto key public priv.pem 47 | ``` 48 | 49 | Print the public key of an x509 certificate: 50 | ```shell 51 | $ step crypto key public foo.crt 52 | ``` 53 | 54 | Write the corresponding public key to a file: 55 | ```shell 56 | $ step crypto key public --out pub.pem key.pem 57 | ``` 58 | 59 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/key/verify/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto key verify 5 | menu: 6 | docs: 7 | parent: step crypto key 8 | --- 9 | 10 | ## Name 11 | **step crypto key verify** -- verify a signed message 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto key verify [] --key= --signature= 17 | [--alg=] [--pss] 18 | ``` 19 | 20 | ## Description 21 | 22 | **step crypto key verify** verifies the signature of a file or a message. 23 | 24 | ## Positional arguments 25 | 26 | `file` 27 | File to verify. 28 | 29 | ## Options 30 | 31 | 32 | **--key**=`file` 33 | The path to the `file` containing the public key. 34 | 35 | **--signature**=`base64`, **--sig**=`base64` 36 | The `base64` version of the signature. 37 | 38 | **--alg**=`algorithm` 39 | The hash algorithm to use on RSA PKCS #1 1.5 and RSA-PSS signatures. 40 | 41 | `algorithm` must be one of: 42 | 43 | - **sha1** (or sha): SHA-1 produces a 160-bit hash value 44 | 45 | - **sha224**: SHA-224 produces a 224-bit hash value 46 | 47 | - **sha256** (default): SHA-256 produces a 256-bit hash value 48 | 49 | - **sha384**: SHA-384 produces a 384-bit hash value 50 | 51 | - **sha512**: SHA-512 produces a 512-bit hash value 52 | 53 | - **sha512-224**: SHA-512/224 uses SHA-512 and truncates the output to 224 bits 54 | 55 | - **sha512-256**: SHA-512/256 uses SHA-512 and truncates the output to 256 bits 56 | 57 | - **md5**: MD5 produces a 128-bit hash value 58 | 59 | 60 | **--pss** 61 | Verify using the RSA-PSS signature scheme. 62 | 63 | ## Examples 64 | 65 | Verify a file with its signature: 66 | ```shell 67 | s step crypto key verify --key pub.key --sig "base64...=" file.txt 68 | true 69 | ``` 70 | 71 | Verify a file using the PKCS #1 v1.5: 72 | ```shell 73 | $ step crypto key verify --key rsa.pub --sig "base64...=" file.txt 74 | ``` 75 | 76 | Verify a file using the PKCS #1 v1.5 and SHA512: 77 | ```shell 78 | $ step crypto key verify --key rsa.pub --alg sha512 --sig "base64...=" file.txt 79 | ``` 80 | 81 | Verify a file using the RSA-PSS scheme: 82 | ```shell 83 | $ step crypto key verify --key rsa.pub --pss --sig "base64...=" file.txt 84 | ``` 85 | 86 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/nacl/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto nacl 5 | menu: 6 | docs: 7 | parent: step crypto 8 | children: 9 | - auth 10 | - box 11 | - secretbox 12 | - sign 13 | --- 14 | 15 | ## Name 16 | **step crypto nacl** -- easy-to-use high-speed tools for encryption and signing 17 | 18 | ## Usage 19 | 20 | ```raw 21 | step crypto nacl [arguments] [global-flags] [subcommand-flags] 22 | ``` 23 | 24 | ## Description 25 | 26 | The **step crypto nacl** command group is a thin CLI wrapper around the NaCl 27 | (pronounced "salt") cryptography library. NaCl's goal is to provide all of the 28 | core operations needed to build higher-level cryptographic tools. 29 | 30 | Perhaps its biggest advantage is simplicity. NaCl was designed to be easy to 31 | use and hard to misuse. Typical cryptographic libraries force you to specify 32 | choices for cryptographic primitives and constructions (e.g., sign this 33 | message with 4096-bit RSA using PKCS#1 v2.0 with SHA-256). But most people are 34 | not cryptographers. These choices become foot guns. By contrast, NaCl allows 35 | you to simply say "sign this message". NaCl ships with a preselected choice -- 36 | a state-of-the-art signature system suitable for most applications -- and it 37 | has a side mechanism through which a cryptographer can easily override the 38 | choice of signature system. 39 | 40 | There are language bindings and pure implementations of NaCl for all major 41 | languages. For internal use cases where compatibility with open standards like 42 | JWT are not an issue, NaCl should be your default choice for cryptographic 43 | needs. 44 | 45 | For more information on NaCl visit https://nacl.cr.yp.to 46 | 47 | ## Commands 48 | 49 | 50 | | Name | Usage | 51 | |---|---| 52 | | **[auth](auth/)** | authenticate a message using a secret key | 53 | | **[box](box/)** | authenticate and encrypt small messages using public-key cryptography | 54 | | **[secretbox](secretbox/)** | encrypt and authenticate small messages using secret-key cryptography | 55 | | **[sign](sign/)** | sign small messages using public-key cryptography | 56 | 57 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/nacl/auth/digest/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto nacl auth digest 5 | menu: 6 | docs: 7 | parent: step crypto nacl auth 8 | --- 9 | 10 | ## Name 11 | **step crypto nacl auth digest** -- generate a 32-byte digest for a message 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto nacl auth digest 17 | ``` 18 | 19 | ## Description 20 | 21 | **step crypto nacl auth digest** creates a digest to authenticate the message 22 | is read from STDIN using the given secret key. 23 | 24 | This command uses an implementation of NaCl's crypto_auth function. 25 | 26 | For examples, see **step help crypto nacl auth**. 27 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/nacl/auth/verify/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto nacl auth verify 5 | menu: 6 | docs: 7 | parent: step crypto nacl auth 8 | --- 9 | 10 | ## Name 11 | **step crypto nacl auth verify** -- validate a digest for a message 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto nacl auth verify 17 | ``` 18 | 19 | ## Description 20 | 21 | **step crypto nacl auth verify** checks that the digest is a valid authenticator 22 | of the message is read from STDIN under the given secret key file. 23 | 24 | This command uses an implementation of NaCl's crypto_auth_verify function. 25 | 26 | For examples, see **step help crypto nacl auth**. 27 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/nacl/box/keypair/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto nacl box keypair 5 | menu: 6 | docs: 7 | parent: step crypto nacl box 8 | --- 9 | 10 | ## Name 11 | **step crypto nacl box keypair** -- generate a key for use with seal and open 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto nacl box keypair 17 | ``` 18 | 19 | ## Description 20 | 21 | Generates a new public/private keypair suitable for use with seal and open. 22 | The private key is encrypted using a password in a nacl secretbox. 23 | 24 | This command uses an implementation of NaCl's crypto_box_keypair function. 25 | 26 | For examples, see **step help crypto nacl box**. 27 | 28 | ## Positional arguments 29 | 30 | `pub-file` 31 | The path to write the public key. 32 | 33 | `priv-file` 34 | The path to write the encrypted private key. 35 | 36 | ## Options 37 | 38 | 39 | **-f**, **--force** 40 | Force the overwrite of files without asking. 41 | 42 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/nacl/box/open/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto nacl box open 5 | menu: 6 | docs: 7 | parent: step crypto nacl box 8 | --- 9 | 10 | ## Name 11 | **step crypto nacl box open** -- authenticate and decrypt a box produced by seal 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto nacl box open 17 | [--raw] 18 | ``` 19 | 20 | ## Description 21 | 22 | Authenticate and decrypt a box produced by seal using the specified KEY. If 23 | PRIV_KEY is encrypted you will be prompted for the password. The sealed box is 24 | read from STDIN and the decrypted plaintext is written to STDOUT. 25 | 26 | This command uses an implementation of NaCl's crypto_box_open function. 27 | 28 | For examples, see **step help crypto nacl box**. 29 | 30 | ## Positional arguments 31 | 32 | `nonce` 33 | The nonce provided when the box was sealed. 34 | 35 | To use a binary nonce use the prefix 'base64:' and the standard base64 36 | encoding. e.g. base64:081D3pFPBkwx1bURR9HQjiYbAUxigo0Z 37 | 38 | `sender-pub-key` 39 | The path to the public key of the peer that produced the sealed box. 40 | 41 | `priv-key` 42 | The path to the private key used to open the box. 43 | 44 | ## Options 45 | 46 | 47 | **--raw** 48 | Indicates that input is not base64 encoded 49 | 50 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/nacl/box/seal/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto nacl box seal 5 | menu: 6 | docs: 7 | parent: step crypto nacl box 8 | --- 9 | 10 | ## Name 11 | **step crypto nacl box seal** -- produce an authenticated and encrypted ciphertext 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto nacl box seal 17 | [--raw] 18 | ``` 19 | 20 | ## Description 21 | 22 | Reads plaintext from STDIN and writes an encrypted and authenticated 23 | ciphertext to STDOUT. The "box" can be open by the a recipient who has access 24 | to the private key corresponding to `recipient-pub-key`. 25 | 26 | This command uses an implementation of NaCl's crypto_box function. 27 | 28 | For examples, see **step help crypto nacl box**. 29 | 30 | ## Positional arguments 31 | 32 | `nonce` 33 | Must be unique for each distinct message for a given pair of keys. 34 | 35 | To use a binary nonce use the prefix 'base64:' and the standard base64 36 | encoding. e.g. base64:081D3pFPBkwx1bURR9HQjiYbAUxigo0Z 37 | 38 | `recipient-pub-key` 39 | The path to the public key of the intended recipient of the sealed box. 40 | 41 | `priv-key` 42 | The path to the private key used for authentication. 43 | 44 | ## Options 45 | 46 | 47 | **--raw** 48 | Do not base64 encode output 49 | 50 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/nacl/secretbox/open/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto nacl secretbox open 5 | menu: 6 | docs: 7 | parent: step crypto nacl secretbox 8 | --- 9 | 10 | ## Name 11 | **step crypto nacl secretbox open** -- authenticate and decrypt a box produced by seal 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto nacl secretbox open 17 | [--raw] 18 | ``` 19 | 20 | ## Description 21 | 22 | **step crypto nacl secretbox open** verifies and decrypts a ciphertext using a 23 | secret key and a nonce. 24 | 25 | This command uses an implementation of NaCl's crypto_secretbox_open function. 26 | 27 | For examples, see **step help crypto nacl secretbox**. 28 | 29 | ## Positional arguments 30 | 31 | `nonce` 32 | The nonce provided when the secretbox was sealed. 33 | 34 | To use a binary nonce use the prefix 'base64:' and the standard base64 35 | encoding. e.g. base64:081D3pFPBkwx1bURR9HQjiYbAUxigo0Z 36 | 37 | `key-file` 38 | The path to the shared key. 39 | 40 | ## Options 41 | 42 | 43 | **--raw** 44 | Indicates that input is not base64 encoded 45 | 46 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/nacl/secretbox/seal/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto nacl secretbox seal 5 | menu: 6 | docs: 7 | parent: step crypto nacl secretbox 8 | --- 9 | 10 | ## Name 11 | **step crypto nacl secretbox seal** -- produce an encrypted ciphertext 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto nacl secretbox seal 17 | [--raw] 18 | ``` 19 | 20 | ## Description 21 | 22 | **step crypto nacl secretbox seal** encrypts and authenticates a message using 23 | a secret key and a nonce. 24 | 25 | This command uses an implementation of NaCl's crypto_secretbox function. 26 | 27 | For examples, see **step help crypto nacl secretbox**. 28 | 29 | ## Positional arguments 30 | 31 | `nonce` 32 | Must be unique for each distinct message for a given key. 33 | 34 | To use a binary nonce use the prefix 'base64:' and the standard base64 35 | encoding. e.g. base64:081D3pFPBkwx1bURR9HQjiYbAUxigo0Z 36 | 37 | `key-file` 38 | The path to the shared key. 39 | 40 | ## Options 41 | 42 | 43 | **--raw** 44 | Do not base64 encode output 45 | 46 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/nacl/sign/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto nacl sign 5 | menu: 6 | docs: 7 | parent: step crypto nacl 8 | children: 9 | - keypair 10 | - open 11 | - sign 12 | --- 13 | 14 | ## Name 15 | **step crypto nacl sign** -- sign small messages using public-key cryptography 16 | 17 | ## Usage 18 | 19 | ```raw 20 | step crypto nacl sign [arguments] [global-flags] [subcommand-flags] 21 | ``` 22 | 23 | ## Description 24 | 25 | **step crypto nacl sign** command group uses public-key cryptography to sign and 26 | verify messages. The implementation is based on NaCl's crypto_sign function. 27 | 28 | NaCl crypto_sign is crypto_sign_edwards25519sha512batch, a particular 29 | combination of Curve25519 in Edwards form and SHA-512 into a signature scheme 30 | suitable for high-speed batch verification. This function is conjectured to meet 31 | the standard notion of unforgeability under chosen-message attacks. 32 | 33 | These commands are interoperable with NaCl: https://nacl.cr.yp.to/sign.html 34 | 35 | ## Examples 36 | 37 | Create a keypair for verifying and signing messages: 38 | ```shell 39 | $ step crypto nacl sign keypair nacl.sign.pub nacl.sign.priv 40 | ``` 41 | 42 | Sign a message using the private key: 43 | ```shell 44 | $ step crypto nacl sign sign nacl.sign.priv 45 | Please enter text to sign: 46 | rNrOfqsv4svlRnVPSVYe2REXodL78yEMHtNkzAGNp4MgHuVGoyayp0zx4D5rjTzYVVrD2HRP306ZILT62ohvCG1lc3NhZ2U 47 | 48 | $ cat message.txt | step crypto nacl sign sign ~/step/keys/nacl.recipient.sign.priv 49 | rNrOfqsv4svlRnVPSVYe2REXodL78yEMHtNkzAGNp4MgHuVGoyayp0zx4D5rjTzYVVrD2HRP306ZILT62ohvCG1lc3NhZ2U 50 | ``` 51 | 52 | Verify the signed message using the public key: 53 | ```shell 54 | $ echo rNrOfqsv4svlRnVPSVYe2REXodL78yEMHtNkzAGNp4MgHuVGoyayp0zx4D5rjTzYVVrD2HRP306ZILT62ohvCG1lc3NhZ2U \ 55 | | step crypto nacl sign open nacl.sign.pub 56 | message 57 | ``` 58 | 59 | ## Commands 60 | 61 | 62 | | Name | Usage | 63 | |---|---| 64 | | **[keypair](keypair/)** | generate a pair for use with sign and open | 65 | | **[open](open/)** | verify a signed message produced by sign | 66 | | **[sign](sign/)** | sign a message using Ed25519 | 67 | 68 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/nacl/sign/keypair/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto nacl sign keypair 5 | menu: 6 | docs: 7 | parent: step crypto nacl sign 8 | --- 9 | 10 | ## Name 11 | **step crypto nacl sign keypair** -- generate a pair for use with sign and open 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto nacl sign keypair 17 | ``` 18 | 19 | ## Description 20 | 21 | **step crypto nacl sign keypair** generates a secret key and a corresponding 22 | public key valid for verifying and signing messages. 23 | 24 | This command uses an implementation of NaCl's crypto_sign_keypair function. 25 | 26 | For examples, see **step help crypto nacl sign**. 27 | 28 | ## Options 29 | 30 | 31 | **-f**, **--force** 32 | Force the overwrite of files without asking. 33 | 34 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/nacl/sign/open/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto nacl sign open 5 | menu: 6 | docs: 7 | parent: step crypto nacl sign 8 | --- 9 | 10 | ## Name 11 | **step crypto nacl sign open** -- verify a signed message produced by sign 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto nacl sign open 17 | ``` 18 | 19 | ## Description 20 | 21 | **step crypto nacl sign open** verifies the signature of a message using the 22 | signer's public key. 23 | 24 | This command uses an implementation of NaCl's crypto_sign_open function. 25 | 26 | For examples, see **step help crypto nacl sign**. 27 | 28 | ## Options 29 | 30 | 31 | **--raw** 32 | Indicates that input is not base64 encoded 33 | 34 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/nacl/sign/sign/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto nacl sign sign 5 | menu: 6 | docs: 7 | parent: step crypto nacl sign 8 | --- 9 | 10 | ## Name 11 | **step crypto nacl sign sign** -- sign a message using Ed25519 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto nacl sign sign 17 | ``` 18 | 19 | ## Description 20 | 21 | **step crypto nacl sign sign** signs a message m using the signer's private 22 | key. 23 | 24 | This command uses an implementation of NaCl's crypto_sign function. 25 | 26 | For examples, see **step help crypto nacl sign**. 27 | 28 | ## Options 29 | 30 | 31 | **--raw** 32 | Do not base64 encode output 33 | 34 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/otp/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto otp 5 | menu: 6 | docs: 7 | parent: step crypto 8 | children: 9 | - generate 10 | - verify 11 | --- 12 | 13 | ## Name 14 | **step crypto otp** -- generate and verify one-time passwords 15 | 16 | ## Usage 17 | 18 | ```raw 19 | step crypto otp [arguments] [global-flags] [subcommand-flags] 20 | ``` 21 | 22 | ## Description 23 | 24 | **step crypto otp** command group implements TOTP and HOTP one-time passwords 25 | (mention RFCs) 26 | 27 | ## Examples 28 | 29 | Generate a new TOTP token and it's QR Code to scan: 30 | ```shell 31 | $ step crypto otp generate --issuer smallstep.com --account name@smallstep.com -qr smallstep.png > smallstep.totp 32 | 33 | $ cat smallstep.totp 34 | 55RU6WTUISKKGEYVNSSI7H6FTJWJ4IPP 35 | ``` 36 | 37 | Scan the QR Code using Google Authenticator, Authy or a similar software and 38 | use it to verify the TOTP token: 39 | ```shell 40 | $ step crypto otp verify --secret smallstep.totp 41 | Enter Passcode: 614318 42 | ok 43 | ``` 44 | 45 | ## Commands 46 | 47 | 48 | | Name | Usage | 49 | |---|---| 50 | | **[generate](generate/)** | generate a one-time password | 51 | | **[verify](verify/)** | verify a one-time password | 52 | 53 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/otp/generate/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto otp generate 5 | menu: 6 | docs: 7 | parent: step crypto otp 8 | --- 9 | 10 | ## Name 11 | **step crypto otp generate** -- generate a one-time password 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto otp generate [--issuer=] 17 | [--account=] [--period=] [--length=] 18 | [--alg=] [--url] [--qr] 19 | ``` 20 | 21 | ## Description 22 | 23 | **step crypto otp generate** does TOTP and HTOP 24 | 25 | ## Options 26 | 27 | 28 | **--issuer**=`value`, **--iss**=`value` 29 | Name of the issuing organization (e.g., smallstep.com) 30 | 31 | **--account**=`value` 32 | Name of the user's account (e.g., a username or email 33 | address) 34 | 35 | **--period**=`value` 36 | Number of seconds a TOTP hash is valid. Defaults to 30 37 | seconds. 38 | 39 | **--length**=`value`, **--digits**=`value` 40 | Length of one-time passwords. Defaults to 6. 41 | 42 | **--secret-size**=`value` 43 | Size of generated TOTP secret. Defaults to 20. 44 | 45 | **--alg**=`value`, **--algorithm**=`value` 46 | Algorithm to use for HMAC. Defaults to SHA1. Must be 47 | one of: SHA1, SHA256, SHA512 48 | 49 | **--url** 50 | Output a TOTP Key URI. See 51 | https://github.com/google/google-authenticator/wiki/Key-Uri-Format 52 | 53 | **--qr**=`value` 54 | Write a QR code to the specified path 55 | 56 | **-f**, **--force** 57 | Force the overwrite of files without asking. 58 | 59 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/otp/verify/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto otp verify 5 | menu: 6 | docs: 7 | parent: step crypto otp 8 | --- 9 | 10 | ## Name 11 | **step crypto otp verify** -- verify a one-time password 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto otp verify [--secret=] 17 | [--period=] [--skew=] [--length=] 18 | [--alg=] [*-time=] 19 | ``` 20 | 21 | ## Description 22 | 23 | **step crypto otp verify** does TOTP and HTOP 24 | 25 | ## Options 26 | 27 | 28 | **--secret**=`file` 29 | The `file` containing TOTP secret. 30 | 31 | **--period**=`value` 32 | Number of seconds a TOTP hash is valid. Defaults to 30 33 | seconds. 34 | 35 | **--skew**=`value` 36 | Periods before or after current time to allow. Defaults 37 | to 0. Values greater than 1 require '--insecure' flag. 38 | 39 | **--length**=`value`, **--digits**=`value` 40 | Length of one-time passwords. Defaults to 6 digits. 41 | 42 | **--alg**=`value`, **--algorithm**=`value` 43 | Algorithm to use for HMAC. Defaults to SHA1. Must be 44 | one of: SHA1, SHA256, SHA512 45 | 46 | **--time**=`time|duration` 47 | The `time|duration` to use for TOTP validation. If a `time` is 48 | used it is expected to be in RFC 3339 format. If a `duration` is used, it is a 49 | sequence of decimal numbers, each with optional fraction and a unit suffix, such 50 | as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", 51 | "s", "m", "h". A `duration` value is added to the current time. An empty 52 | `time|duration` defaults to "time.Now()". 53 | 54 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/winpe/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto winpe 5 | menu: 6 | docs: 7 | parent: step crypto 8 | children: 9 | - extract 10 | --- 11 | 12 | ## Name 13 | **step crypto winpe** -- extract certificates and verify Windows Portable Executable files 14 | 15 | ## Usage 16 | 17 | ```raw 18 | step crypto winpe [arguments] [global-flags] [subcommand-flags] 19 | ``` 20 | 21 | ## Description 22 | 23 | **step crypto winpe** command group provides facilities to extract certificates and 24 | verify Windows Portable Executable files. 25 | 26 | ## Examples 27 | 28 | Extract all certificates and output in JSON format: 29 | ```shell 30 | step crypto winpe extract my.exe | step certificate inspect --format json --bundle 31 | ``` 32 | 33 | ## Commands 34 | 35 | 36 | | Name | Usage | 37 | |---|---| 38 | | **[extract](extract/)** | extract certificates from Windows Portable Executable files | 39 | 40 | -------------------------------------------------------------------------------- /step-cli/reference/crypto/winpe/extract/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step crypto winpe extract 5 | menu: 6 | docs: 7 | parent: step crypto winpe 8 | --- 9 | 10 | ## Name 11 | **step crypto winpe extract** -- extract certificates from Windows Portable Executable files 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step crypto winpe extract 17 | ``` 18 | 19 | ## Description 20 | 21 | **step crypto winpe extract** extract certificate from a Windows Portable Executable file in PEM format. 22 | 23 | For examples, see **step help crypto winpe**. 24 | 25 | ## Positional arguments 26 | 27 | `file` 28 | The path to a Windows Portable Executable file 29 | -------------------------------------------------------------------------------- /step-cli/reference/fileserver/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step fileserver 5 | menu: 6 | docs: 7 | parent: step 8 | --- 9 | 10 | ## Name 11 | **step fileserver** -- start an HTTP(S) server serving the contents of a path 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step fileserver 17 | [--address=
] [--cert=] [--key=] [--roots=] 18 | [--pidfile=] 19 | ``` 20 | 21 | ## Description 22 | 23 | **step fileserver** command starts an HTTP(S) server that serves 24 | the contents of a file system. If the server is running using certificates, sending the 25 | HUP signal will reload the certificates. 26 | 27 | This command is experimental and only intended for test purposes. 28 | 29 | ## Positional arguments 30 | 31 | `dir` 32 | The directory used as root for the HTTP file server. 33 | 34 | ## Options 35 | 36 | 37 | **--address**=`address` 38 | The TCP `address` to listen on (e.g. ":8443"). 39 | 40 | **--cert**=`file` 41 | The `file` containing the TLS certificate to use. 42 | 43 | **--key**=`file` 44 | The `file` containing the key corresponding to the certificate. 45 | 46 | **--roots**=`file` 47 | The `file` containing the root certificate(s) that will be used to verify the client certificates. 48 | 49 | **--pidfile**=`file` 50 | The path to the `file` to write the process ID. 51 | 52 | ## Examples 53 | 54 | Start an HTTP file server on port 8080. 55 | ```shell 56 | $ step fileserver --address :8080 /path/to/web-root 57 | ``` 58 | 59 | Start an HTTPS file server on 127.0.0.1:8443. 60 | ```shell 61 | $ step ca certificate 127.0.0.1 localhost.crt localhost.key 62 | ... 63 | $ step fileserver --address 127.0.0.1:8443 \ 64 | --cert localhost.crt --key localhost.key /path/to/web-root 65 | ``` 66 | 67 | Start an HTTPS file server on a random port and require client certificates. 68 | ```shell 69 | $ step fileserver --cert localhost.crt --key localhost.key \ 70 | --roots $(step path)/certs/root_ca.crt /path/to/web-root 71 | ``` 72 | 73 | -------------------------------------------------------------------------------- /step-cli/reference/help/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step help 5 | menu: 6 | docs: 7 | parent: step 8 | --- 9 | 10 | ## Name 11 | **step help** -- display help for the specified command or command group 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step help 17 | ``` 18 | 19 | ## Description 20 | 21 | **step help** command displays help for a command or command group. 22 | 23 | ## Options 24 | 25 | 26 | **--http**=`value` 27 | HTTP service address (e.g., ':8080') 28 | 29 | **--html**=`directory` 30 | The export `directory` for HTML docs. 31 | 32 | **--markdown**=`directory` 33 | The export `directory` for Markdown docs. 34 | 35 | **--report** 36 | Writes a JSON report to the HTML docs directory. 37 | 38 | ## Examples 39 | 40 | Display help for **step ca certificate**: 41 | ```shell 42 | $ step help ca certificate 43 | ``` 44 | 45 | Display help for **step ssh**: 46 | ```shell 47 | $ step help ssh 48 | ``` 49 | 50 | -------------------------------------------------------------------------------- /step-cli/reference/path/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step path 5 | menu: 6 | docs: 7 | parent: step 8 | --- 9 | 10 | ## Name 11 | **step path** -- print the configured step path and exit 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step path [--base] [--profile] 17 | ``` 18 | 19 | ## Description 20 | 21 | **step path** command prints the configured step path and exits. 22 | 23 | When using contexts to manage 'step-ca' environments, this command will return 24 | the current authority path. If no current context is configured this command the 25 | default step path of $HOME/.step, which can be overridden with the **STEPPATH** 26 | environment variable. 27 | 28 | ## Options 29 | 30 | 31 | **--base** 32 | Return the base of the step path 33 | 34 | **--profile** 35 | Return the base path of the currently configured default profile 36 | 37 | ## Examples 38 | 39 | Get the path with no current context configured: 40 | ```shell 41 | $ step path 42 | /Users/max/.step 43 | ``` 44 | 45 | Get the path with no current context and environment variable STEPPATH overriding the default: 46 | ```shell 47 | $ export STEPPATH=/tmp/step 48 | $ step path 49 | /tmp/step 50 | ``` 51 | 52 | Get the path with a current context (configured at $STEPPATH/current-context.json): 53 | ```shell 54 | $ cat $(step path --base)/current-context.json 55 | {"context": "machine.step-internal.net"} 56 | 57 | $ step path 58 | /Users/max/.step/authorities/machine.step-internal.net 59 | ``` 60 | 61 | Get the base path: 62 | ```shell 63 | $ step path --base 64 | /Users/max/.step 65 | ``` 66 | 67 | Get the base path with environment variable STEPPATH overriding the default: 68 | ```shell 69 | $ export STEPPATH=/tmp/step 70 | $ step path --base 71 | /tmp/step 72 | ``` 73 | 74 | Get the path of the current profile: 75 | ```shell 76 | $ cat $(step path --base)/current-context.json 77 | {"context": "ca.acme.net"} 78 | 79 | $ cat $(step path --base)/contexts.json 80 | { 81 | "ca.beta.net": { 82 | "profile": "beta-corp", 83 | "authority": "machine.beta.net" 84 | }, 85 | "ca.acme.net": { 86 | "profile": "example-corp", 87 | "authority": "machine.acme.net" 88 | } 89 | 90 | } 91 | $ step path --profile 92 | /Users/max/.step/profiles/beta-corp 93 | ``` 94 | 95 | 96 | -------------------------------------------------------------------------------- /step-cli/reference/ssh/check-host/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ssh check-host 5 | menu: 6 | docs: 7 | parent: step ssh 8 | --- 9 | 10 | ## Name 11 | **step ssh check-host** -- checks if a certificate has been issued for a host 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step ssh check-host [--verbose,-v] 17 | [--offline] [--ca-config=] 18 | [--ca-url=] [--root=] [--context=] 19 | ``` 20 | 21 | ## Description 22 | 23 | **step ssh check-host** checks if a certificate has been issued for a host. 24 | 25 | This command returns a zero exit status if the host has a certificate. 26 | Otherwise, it returns 1. 27 | 28 | ## Positional arguments 29 | 30 | `hostname` 31 | The hostname of the server to check. 32 | 33 | ## Options 34 | 35 | 36 | **--verbose**, **-v** 37 | Return "true" or "false" in the terminal. 38 | 39 | **--ca-config**=`file` 40 | The certificate authority configuration `file`. Defaults to 41 | $(step path)/config/ca.json 42 | 43 | **--offline** 44 | Creates a certificate without contacting the certificate authority. Offline mode 45 | uses the configuration, certificates, and keys created with **step ca init**, 46 | but can accept a different configuration file using **--ca-config** flag. 47 | 48 | **--ca-url**=`URI` 49 | `URI` of the targeted Step Certificate Authority. 50 | 51 | **--root**=`file` 52 | The path to the PEM `file` used as the root certificate authority. 53 | 54 | **--context**=`name` 55 | The context `name` to apply for the given command. 56 | 57 | ## Examples 58 | 59 | Check that internal.example.com exists: 60 | ```shell 61 | $ step ssh check-host internal.smallstep.com 62 | ``` 63 | 64 | -------------------------------------------------------------------------------- /step-cli/reference/ssh/fingerprint/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ssh fingerprint 5 | menu: 6 | docs: 7 | parent: step ssh 8 | --- 9 | 10 | ## Name 11 | **step ssh fingerprint** -- print the fingerprint of an SSH public key or certificate 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step ssh fingerprint 17 | ``` 18 | 19 | ## Description 20 | 21 | **step ssh fingerprint** prints the fingerprint of an ssh public key or 22 | certificate. 23 | 24 | ## Positional arguments 25 | 26 | `file` 27 | The path to an SSH public key or certificate. 28 | 29 | ## Options 30 | 31 | 32 | **--format**=`format` 33 | The `format` of the fingerprint, it must be "hex", "base64", "base64-url", "base64-raw", "base64-url-raw" or "emoji". 34 | 35 | **--certificate** 36 | Include SSH certificate bytes in fingerprint 37 | 38 | ## Examples 39 | 40 | Print the fingerprint for the public key in 41 | an SSH certificate: 42 | ```shell 43 | $ step ssh fingerprint id_ecdsa-cert.pub 44 | ``` 45 | 46 | Print the fingerprint for an SSH public key: 47 | ```shell 48 | $ step ssh fingerprint id_ecdsa.pub 49 | ``` 50 | 51 | Print the fingerprint for the full contents of 52 | an SSH certificate: 53 | ```shell 54 | $ step ssh fingerprint id_ecdsa-cert.pub --certificate 55 | ``` 56 | 57 | -------------------------------------------------------------------------------- /step-cli/reference/ssh/hosts/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ssh hosts 5 | menu: 6 | docs: 7 | parent: step ssh 8 | --- 9 | 10 | ## Name 11 | **step ssh hosts** -- returns a list of all valid hosts 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step ssh hosts [--set=] [--set-file=] 17 | [--console] [--offline] [--ca-config=] [--ca-url=] [--root=] 18 | [--context=] 19 | ``` 20 | 21 | ## Description 22 | 23 | **step ssh hosts** returns a list of valid hosts for SSH. 24 | 25 | This command returns a zero exit status then the server exists, it will return 1 26 | otherwise. 27 | 28 | ## Options 29 | 30 | 31 | **--set**=`key=value` 32 | The `key=value` pair with template data variables. Use the **--set** flag multiple times to add multiple variables. 33 | 34 | **--set-file**=`file` 35 | The JSON `file` with the template data variables. 36 | 37 | **--console** 38 | Complete the flow while remaining inside the terminal. 39 | 40 | **--offline** 41 | Creates a certificate without contacting the certificate authority. Offline mode 42 | uses the configuration, certificates, and keys created with **step ca init**, 43 | but can accept a different configuration file using **--ca-config** flag. 44 | 45 | **--ca-config**=`file` 46 | The certificate authority configuration `file`. Defaults to 47 | $(step path)/config/ca.json 48 | 49 | **--ca-url**=`URI` 50 | `URI` of the targeted Step Certificate Authority. 51 | 52 | **--root**=`file` 53 | The path to the PEM `file` used as the root certificate authority. 54 | 55 | **--context**=`name` 56 | The context `name` to apply for the given command. 57 | 58 | ## Examples 59 | 60 | Get a list of valid hosts for SSH: 61 | ```shell 62 | $ step ssh hosts 63 | ``` 64 | 65 | -------------------------------------------------------------------------------- /step-cli/reference/ssh/inspect/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ssh inspect 5 | menu: 6 | docs: 7 | parent: step ssh 8 | --- 9 | 10 | ## Name 11 | **step ssh inspect** -- print the contents of an ssh certificate 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step ssh inspect 17 | ``` 18 | 19 | ## Description 20 | 21 | **step ssh inspect** command prints ssh certificate details in human readable 22 | format. 23 | 24 | ## Positional arguments 25 | 26 | `crt-file` 27 | The path to an ssh certificate. 28 | 29 | ## Options 30 | 31 | 32 | **--format**=`format` 33 | The output format for printing the introspection details. 34 | 35 | `format` is a string and must be one of: 36 | 37 | - **text**: Print output in unstructured text suitable for a human to read. 38 | 39 | - **json**: Print output in JSON format. 40 | 41 | ## Examples 42 | 43 | Prints the contents of id_ecdsa-cert.pub: 44 | ```shell 45 | $ step ssh inspect id_ecdsa-cert.pub 46 | ``` 47 | 48 | -------------------------------------------------------------------------------- /step-cli/reference/ssh/list/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ssh list 5 | menu: 6 | docs: 7 | parent: step ssh 8 | --- 9 | 10 | ## Name 11 | **step ssh list** -- list public keys known to the ssh agent 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step ssh list [] [--raw] 17 | ``` 18 | 19 | ## Description 20 | 21 | **step ssh list** list public key identities known to the ssh agent. 22 | 23 | By default it prints key fingerprints, to list the raw key use the flag **--raw**. 24 | 25 | ## Positional arguments 26 | 27 | `subject` 28 | Optional subject or comment to filter keys by. 29 | 30 | ## Options 31 | 32 | 33 | **--raw** 34 | List public keys instead of fingerprints. 35 | 36 | ## Examples 37 | 38 | List all key fingerprints known to the agent: 39 | ```shell 40 | $ step ssh list 41 | ``` 42 | 43 | List all the key fingerprints with the comment joe@work: 44 | ```shell 45 | $ step ssh list joe@work 46 | ``` 47 | 48 | List all keys known to the agent: 49 | ```shell 50 | $ step ssh list --raw 51 | ``` 52 | 53 | List all the keys with the comment joe@work: 54 | ```shell 55 | $ step ssh list --raw joe@work 56 | ``` 57 | 58 | -------------------------------------------------------------------------------- /step-cli/reference/ssh/needs-renewal/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ssh needs-renewal 5 | menu: 6 | docs: 7 | parent: step ssh 8 | --- 9 | 10 | ## Name 11 | **step ssh needs-renewal** -- Check if an SSH certificate needs to be renewed 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step ssh needs-renewal 17 | [--expires-in=] [--verbose] 18 | ``` 19 | 20 | ## Description 21 | 22 | **step ssh needs-renewal** returns '0' if the SSH certificate needs 23 | to be renewed based on it's remaining lifetime. Returns '1' if the SSH 24 | certificate is within it's validity lifetime bounds and does not need to be 25 | renewed. By default, an SSH certificate "needs renewal" when it has 26 | passed 66% (default threshold) of it's allotted lifetime. This threshold can be 27 | adjusted using the '--expires-in' flag. 28 | 29 | ## Positional arguments 30 | 31 | `cert-file` 32 | The path to an SSH certificate. 33 | 34 | ## Options 35 | 36 | 37 | **--expires-in**=`percent|duration` 38 | Check if the certificate expires within the given time window 39 | using `percent|duration`. If using `percent`, the input must be followed by a "%" 40 | character. If using `duration`, the input must be a sequence of decimal numbers, 41 | each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". 42 | Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". 43 | 44 | **--verbose**, **-v** 45 | Print human readable affirmation if certificate requires renewal. 46 | 47 | ## Exit codes 48 | 49 | This command returns '0' if the SSH certificate needs renewal, '1' if the 50 | SSH certificate does not need renewal, '2' if the SSH certificate file does not 51 | exist, and '255' for any other error. 52 | 53 | ## Examples 54 | 55 | Check if an SSH certificate needs renewal using the default threshold (66%): 56 | ```shell 57 | $ step ssh needs-renewal ./ssh_host_ed25519_key.pub 58 | ``` 59 | 60 | Check if certificate will expire within a given duration: 61 | ```shell 62 | $ step ssh needs-renewal ./ssh_host_ed25519_key.pub --expires-in 1h15m 63 | ``` 64 | 65 | Check if an SSH certificate has passed 75 percent of it's lifetime: 66 | ```shell 67 | $ step certificate needs-renewal ./ssh_host_ed25519_key.pub --expires-in 75% 68 | ``` 69 | 70 | 71 | -------------------------------------------------------------------------------- /step-cli/reference/ssh/proxycommand/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step ssh proxycommand 5 | menu: 6 | docs: 7 | parent: step ssh 8 | --- 9 | 10 | ## Name 11 | **step ssh proxycommand** -- proxy ssh connections according to the host registry 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step ssh proxycommand 17 | [--provisioner=] [--set=] [--set-file=] 18 | [--console] [--offline] [--ca-config=] 19 | [--ca-url=] [--root=] [--context=] 20 | ``` 21 | 22 | ## Description 23 | 24 | **step ssh proxycommand** looks into the host registry 25 | and proxies the ssh connection according to its configuration. This command 26 | is used in the ssh client config with `ProxyCommand` keyword. 27 | 28 | This command will add the user to the ssh-agent if necessary. 29 | 30 | ## Positional arguments 31 | 32 | `user` 33 | The remote username, and the subject used to login. 34 | 35 | `host` 36 | The host to connect to. 37 | 38 | `port` 39 | The port to connect to. 40 | 41 | ## Options 42 | 43 | 44 | **--provisioner**=`name`, **--issuer**=`name` 45 | The provisioner `name` to use. 46 | 47 | **--provisioner-password-file**=`file`, **--password-file**=`file` 48 | The path to the `file` containing the password to decrypt the one-time token 49 | generating key. 50 | 51 | **--set**=`key=value` 52 | The `key=value` pair with template data variables. Use the **--set** flag multiple times to add multiple variables. 53 | 54 | **--set-file**=`file` 55 | The JSON `file` with the template data variables. 56 | 57 | **--console** 58 | Complete the flow while remaining inside the terminal. 59 | 60 | **--offline** 61 | Creates a certificate without contacting the certificate authority. Offline mode 62 | uses the configuration, certificates, and keys created with **step ca init**, 63 | but can accept a different configuration file using **--ca-config** flag. 64 | 65 | **--ca-config**=`file` 66 | The certificate authority configuration `file`. Defaults to 67 | $(step path)/config/ca.json 68 | 69 | **--ca-url**=`URI` 70 | `URI` of the targeted Step Certificate Authority. 71 | 72 | **--root**=`file` 73 | The path to the PEM `file` used as the root certificate authority. 74 | 75 | **--context**=`name` 76 | The context `name` to apply for the given command. 77 | 78 | -------------------------------------------------------------------------------- /step-cli/reference/version/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | layout: auto-doc 3 | category: reference 4 | title: step version 5 | menu: 6 | docs: 7 | parent: step 8 | --- 9 | 10 | ## Name 11 | **step version** -- display the current version of the cli 12 | 13 | ## Usage 14 | 15 | ```raw 16 | step version 17 | ``` 18 | 19 | ## Description 20 | 21 | **step version** prints the version of the cli. 22 | -------------------------------------------------------------------------------- /tutorials/README.mdx: -------------------------------------------------------------------------------- 1 | --- 2 | title: Open Source PKI Tutorials 3 | html_title: PKI tutorials use open source to learn by doing 4 | description: 5 | Learn how to set up open source private PKI to issue certificates using ACME 6 | or cloud APIs. Issue X.509 certificates to humans using your identity 7 | provider. 8 | --- 9 | 10 | `step-ca` is an online Certificate Authority (CA) for secure, automated X.509 11 | and SSH certificate management. People use our tooling to automate issuance, 12 | renewal, and revocation of certificates for all types of workloads and use 13 | cases. This tutorial section highlights many popular deployment scenarios and is 14 | designed to help the participant learn by doing. Each activity includes detailed 15 | examples and copy/paste code blocks. 16 | 17 | In general, these tutorials assume you have initialized and started up a 18 | `step-ca` instance using the steps in 19 | [Getting Started](../step-ca/getting-started.mdx). As an alternative, you can use 20 | our hosted CA, [Smallstep Certificate Manager](https://smallstep.com/certificate-manager). 21 | 22 | 23 | 24 | ## Further Examples & Tutorials 25 | 26 | Beyond these docs, we have the following resources available: 27 | 28 | - If you are new to PKI, we would recommend starting with 29 | [Everything you should know about certificates and PKI but are too afraid to ask.](https://smallstep.com/blog/everything-pki/) 30 | - [Our blog](https://smallstep.com/blog) often features specific walk-throughs and integrations. 31 | - We maintain 32 | [a list of community-contributed tutorials, examples, and integrations](https://github.com/smallstep/certificates/discussions/765) 33 | - Our 34 | [GitHub Discussions](https://github.com/smallstep/certificates/discussions) 35 | and [Discord](https://u.step.sm/discord) are treasure troves for you to search 36 | and ask questions. 37 | --------------------------------------------------------------------------------