64:' and the standard base64 encoding. e.g. base64:081D3pFPBkwx1bURR9HQjiYbAUxigo0Z : The path to the shared key.The certificate profile sets various certificate details such as certificate use and expiration. The default profile is 'leaf' which is suitable for a client or server using TLS. : is a case-sensitive string and must be one of: **leaf** : Signs a leaf x.509 certificate suitable for use with TLS. **intermediate-ca** : Signs a certificate that can be used to sign additional leaf certificates. **csr** : Signs a x.509 certificate without modifying the CSR.**step crypto nacl secretbox seal** encrypts and authenticates a message using a secret key and a nonce. This command uses an implementation of NaCl's crypto_secretbox function. For examples, see **step help crypto nacl secretbox**. ## POSITIONAL ARGUMENTS : Must be unique for each distinct message for a given key. : To use a binary nonce use the prefix 'base64:' and the standard base64 encoding. e.g. base64:081D3pFPBkwx1bURR9HQjiYbAUxigo0Z : The path to the shared key.**step ca roots** downloads a certificate bundle with all the root certificates. ## POSITIONAL ARGUMENTS : File to write all the root certificates (PEM format) ## EXAMPLES Download the roots with flags set by : ''' $ step ca roots roots.pem ''' Download the roots with custom flags: ''' $ step ca roots roots.pem \ --ca-url https://ca.example.com \ --root /path/to/root_ca.crt ''' Print the roots using flags set by : ''' $ step ca roots '''**step ssh login** [] [**--token**=] [**--provisioner**=] [**--provisioner-password-file**=] [**--principal**=] [**--not-before**=] [**--not-after**=] [**--kty**=] [**--curve**=] [**--size**=] [**--comment**=] [**--set**=] [**--set-file**=] [**--console**] [**--force**] [**--insecure**] [**--offline**] [**--ca-config**=] [**--ca-url**=] [**--root**=] [**--context**=]**step ca admin list** lists all admins in the CA configuration. ## EXAMPLES List all admins: ''' $ step ca admin list ''' List only super-admins: ''' $ step ca admin list --super ''' List only admins without super-admin privileges: ''' $ step ca admin list --super=false ''' List all admins associated with a given provisioner: ''' $ step ca admin list --provisioner admin-jwk ''' List only super-admins associated with a given provisioner: ''' $ step ca admin list --super --provisioner admin-jwk ''' FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF**step ssh fingerprint** prints the fingerprint of an ssh public key or certificate. ## POSITIONAL ARGUMENTS : The path to an SSH public key or certificate. ## EXAMPLES Print the fingerprint for the public key in an SSH certificate: ''' $ step ssh fingerprint id_ecdsa-cert.pub ''' Print the fingerprint for an SSH public key: ''' $ step ssh fingerprint id_ecdsa.pub ''' Print the fingerprint for the full contents of an SSH certificate: ''' $ step ssh fingerprint id_ecdsa-cert.pub --certificate '''**step ca acme eab add** adds ACME External Account Binding Key. ## POSITIONAL ARGUMENTS : Name of the provisioner to which the ACME EAB key will be added : (Optional) reference (from external system) for the key that will be added ## EXAMPLES Add an ACME External Account Binding Key without reference: ''' $ step ca acme eab add my_acme_provisioner ''' Add an ACME External Account Binding Key with reference: ''' $ step ca acme eab add my_acme_provisioner my_first_eab_key '''A unique identifier for the JWT. The identifier must be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to multiple JWTs. The JTI claim can be used to prevent a JWT from being replayed (i.e., recipient(s) can use to make a JWT one-time-use). The argument is a case-sensitive string. If the **--jti** flag is used without an argument a will be generated randomly with sufficient entropy to satisfy the collision-resistance criteria.**step ca provisioner webhook add** [**--url**=] [**--kind**=] [**--bearer-token-file**=] [**--basic-auth-username**=] [**--basic-auth-password-file**=] [**--disable-tls-client-auth**] [**--cert-type**=] [**--admin-cert**=] [**--admin-key**=] [**--admin-subject**=] [**--admin-provisioner**=] [**--admin-password-file**=] [**--ca-url**=] [**--root**=] [**--context**=] [**--ca-config**=]**step crypto otp** command group implements TOTP and HOTP one-time passwords (mention RFCs) ## EXAMPLES Generate a new TOTP token and it's QR Code to scan: ''' $ step crypto otp generate --issuer smallstep.com --account name@smallstep.com -qr smallstep.png \> smallstep.totp $ cat smallstep.totp 55RU6WTUISKKGEYVNSSI7H6FTJWJ4IPP ''' Scan the QR Code using Google Authenticator, Authy or a similar software and use it to verify the TOTP token: ''' $ step crypto otp verify --secret smallstep.totp Enter Passcode: 614318 ok '''## NAME **{{.HelpName}}** -- {{.Usage}} ## USAGE {{if .UsageText}}{{.UsageText}}{{else}}**{{.HelpName}}** {{if .VisibleFlags}} _[options]_{{end}} {{if .ArgsUsage}}{{.ArgsUsage}}{{else}}_[arguments]_{{end}}{{end}}{{if .Description}} ## DESCRIPTION {{.Description}}{{end}} ## COMMANDS {{range .VisibleCategories}}{{if .Name}}{{.Name}}:{{end}} ||| |---|---|{{range .VisibleCommands}} | **{{join .Names ", "}}** | {{.Usage}} |{{end}} {{end}}{{if .VisibleFlags}} ## OPTIONS {{range .VisibleFlags}} {{.}} {{end}}{{end}} The amount of time remaining before certificate expiration, at which point a rekey should be attempted. The certificate rekey will not be performed if the time to expiration is greater than the **--expires-in** value. A random jitter (duration/20) will be added to avoid multiple services hitting the rekey endpoint at the same time. The is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".**step ca provisioner webhook update** [**--url**=] [**--kind**=] [**--bearer-token-file**=] [**--basic-auth-username**=] [**--basic-auth-password-file**=] [**--disable-tls-client-auth**] [**--cert-type**=] [**--admin-cert**=] [**--admin-key**=] [**--admin-subject**=] [**--admin-provisioner**=] [**--admin-password-file**=] [**--ca-url**=] [**--root**=] [**--context**=] [**--ca-config**=]**step ca init** [**--root**=] [**--key**=] [**--key-password-file**=] [**--pki**] [**--ssh**] [**--helm**] [**--deployment-type**=] [**--name**=] [**--dns**=] [**--address**=
] [**--provisioner**=] [**--admin-subject**=] [**--provisioner-password-file**=] [**--password-file**=] [**--ra**=] [**--kms**=] [**--with-ca-url**=] [**--no-db**] [**--remote-management**] [**--acme**] [**--context**=] [**--profile**=] [**--authority**=]The amount of time remaining before certificate expiration, at which point a renewal should be attempted. The certificate renewal will not be performed if the time to expiration is greater than the **--expires-in** value. A random jitter (duration/20) will be added to avoid multiple services hitting the renew endpoint at the same time. The is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".**step ca sign** [**--token**=] [**--issuer**=] [**--provisioner-password-file=] [**--not-before**=] [**--not-after**=] [**--set**=] [**--set-file**=] [**--acme**=] [**--standalone**] [**--webroot**=] [**--contact**=] [**--http-listen**=
] [**--console**] [**--x5c-cert**=] [**--x5c-key**=] [**--k8ssa-token-path**=] [**--offline**] [**--password-file**=] [**--ca-url**=] [**--root**=] [**--context**=]**step ca policy x509 wildcards deny** deny wildcard names in X.509 policy ## EXAMPLES Deny wildcard names in X.509 certificates on authority level ''' $ step ca policy authority x509 wildcards deny ''' Deny wildcard names in X.509 certificates on provisioner level ''' $ step ca policy provisioner x509 wildcards deny --provisioner my_provisioner ''' Deny wildcard names in X.509 certificates on ACME account level by reference ''' $ step ca policy acme x509 wildcards deny --provisioner my_acme_provisioner --eab-reference my_reference '''The hash algorithm to use. : must be one of: **sha1** (or sha) : SHA-1 produces a 160-bit hash value **sha224** : SHA-224 produces a 224-bit hash value **sha256** (default) : SHA-256 produces a 256-bit hash value **sha384** : SHA-384 produces a 384-bit hash value **sha512** : SHA-512 produces a 512-bit hash value **sha512-224** : SHA-512/224 produces a 224-bit hash value **sha512-256** : SHA-512/256 produces a 256-bit hash value **md5** (requires --insecure) : MD5 produces a 128-bit hash value **step ssh list** list public key identities known to the ssh agent. By default it prints key fingerprints, to list the raw key use the flag **--raw**. ## POSITIONAL ARGUMENTS : Optional subject or comment to filter keys by. ## EXAMPLES List all key fingerprints known to the agent: ''' $ step ssh list ''' List all the key fingerprints with the comment joe@work: ''' $ step ssh list joe@work ''' List all keys known to the agent: ''' $ step ssh list --raw ''' List all the keys with the comment joe@work: ''' $ step ssh list --raw joe@work '''{ "subject": {"commonName": {{ toJson .Insecure.CR.Subject.CommonName }}}, {{- if .SANs }} "sans": {{ toJson .SANs }}, {{- else }} "dnsNames": {{ toJson .Insecure.CR.DNSNames }}, "emailAddresses": {{ toJson .Insecure.CR.EmailAddresses }}, "ipAddresses": {{ toJson .Insecure.CR.IPAddresses }}, "uris": {{ toJson .Insecure.CR.URIs }}, {{- end }} {{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }} "keyUsage": ["keyEncipherment", "digitalSignature"], {{- else }} "keyUsage": ["digitalSignature"], {{- end }} "extKeyUsage": ["serverAuth", "clientAuth"] }**step ca policy x509 wildcards allow** allow wildcard names in X.509 policy ## EXAMPLES Allow wildcard names in X.509 certificates on authority level ''' $ step ca policy authority x509 wildcards allow ''' Allow wildcard names in X.509 certificates on provisioner level ''' $ step ca policy provisioner x509 wildcards allow --provisioner my_provisioner ''' Allow wildcard names in X.509 certificates on ACME account level by reference ''' $ step ca policy acme x509 wildcards allow --provisioner my_acme_provisioner --eab-reference my_reference '''## NAME **{{.HelpName}}** -- {{.Usage}} ## USAGE '''raw {{if .UsageText}}{{.UsageText}}{{else}}**{{.HelpName}}** {{if .VisibleFlags}} [options]{{end}} {{if .ArgsUsage}}{{.ArgsUsage}}{{else}}[arguments]{{end}}{{end}} ''' {{- if .Description}} ## DESCRIPTION {{.Description}}{{end}} ## COMMANDS {{range .VisibleCategories}}{{if .Name}}{{.Name}}:{{end}} | Name | Usage | |---|---|{{range .VisibleCommands}} | **[{{join .Names ", "}}]({{.Name}}/)** | {{.Usage}} |{{end}} {{end}}{{if .VisibleFlags}} ## OPTIONS {{range .VisibleFlags}} {{.}} {{end}}{{end}} Enable an ACME attestation statement in the provisioner. Use the flag multiple times to configure multiple challenges. The supported ACME attestation formats are: **apple** : With the apple format, Apple devices can use the device-attest-01 challenge to get a new certificate. **step** : With the step format, devices like YubiKeys that can generate an attestation certificate can use the device-attest-01 challenge to get a new certificate. **tpm** : With the tpm format, devices with TPMs can use the device-attest-01 challenge to get a new certificate.**step ca admin** command group provides facilities for managing the certificate authority admins. An admin is an entity that manages administrative resources (like authority configuration, provisioner configuration, and other admins) within a certificate authority. ## EXAMPLES List the active admins: ''' $ step ca admin list ''' Add an admin: ''' $ step ca admin add max@smallstep.com my-jwk-provisioner --super ''' Update an admin: ''' $ step ca admin update max@smallstep.com --super=false ''' Remove an admin: ''' $ step ca admin remove max@smallstep.com '''Root certificate(s) that will be used to verify the authenticity of the remote server. : is a case-sensitive string and may be one of: **file** : Relative or full path to a file. All certificates in the file will be used for path validation. **list of files** : Comma-separated list of relative or full file paths. Every PEM encoded certificate from each file will be used for path validation. **directory** : Relative or full path to a directory. Every PEM encoded certificate from each file in the directory will be used for path validation.**step certificate create** [**--kty**=] [**--curve**=] [**--size**=] [**--csr**] [**--profile**=] [**--template**=] [**--set**=] [**--set-file**=] [**--not-before**=] [**--not-after**=] [**--san**=] [**--ca**=] [**--ca-kms**=] [**--ca-key**=] [**--ca-password-file**=] [**--kms**=] [**--key**=] [**--password-file**=] [**--bundle**] [**--skip-csr-signature**] [**--no-password**] [**--subtle**] [**--insecure**]**step certificate bundle** bundles a certificate with any intermediates necessary to validate the certificate. ## POSITIONAL ARGUMENTS : The path to a leaf certificate to bundle with issuing certificate(s). : The path to the Certificate Authority issuing certificate. : The path to write the bundle. ## EXIT CODES This command returns 0 on success and \>0 if any error occurs. ## EXAMPLES Bundle a certificate with the intermediate certificate authority (issuer): ''' $ step certificate bundle foo.crt intermediate-ca.crt foo-bundle.crt ''' **step ca federation** downloads a certificate bundle with all the root certificates in the federation. ## POSITIONAL ARGUMENTS : File to write federation certificates (PEM format) ## EXAMPLES Download the federated roots with flags set by : ''' $ step ca federation federation.pem ''' Download the federated roots with custom flags: ''' $ step ca federation federation.pem \ --ca-url https://ca.example.com \ --root /path/to/root_ca.crt ''' Print the federated roots using flags set by : ''' $ step ca federation '''NAME: {{.HelpName}} - {{if .Description}}{{.Description}}{{else}}{{.Usage}}{{end}} USAGE: {{if .UsageText}}{{.UsageText}}{{else}}{{.HelpName}} command{{if .VisibleFlags}} [command options]{{end}} {{if .ArgsUsage}}{{.ArgsUsage}}{{else}}[arguments...]{{end}}{{end}} COMMANDS:{{range .VisibleCategories}}{{if .Name}} {{.Name}}:{{range .VisibleCommands}} {{join .Names ", "}}{{"\t"}}{{.Usage}}{{end}}{{else}}{{range .VisibleCommands}} {{join .Names ", "}}{{"\t"}}{{.Usage}}{{end}}{{end}}{{end}}{{if .VisibleFlags}} OPTIONS: {{range .VisibleFlags}}{{.}} {{end}}{{end}} % {{ .App.Name }}(8) {{ .App.Description }} % {{ .App.Author }} # NAME {{ .App.Name }}{{ if .App.Usage }} - {{ .App.Usage }}{{ end }} # SYNOPSIS {{ .App.Name }} {{ if .SynopsisArgs }} ``` {{ range $v := .SynopsisArgs }}{{ $v }}{{ end }}``` {{ end }}{{ if .App.UsageText }} # DESCRIPTION {{ .App.UsageText }} {{ end }} **Usage**: ``` {{ .App.Name }} [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...] ``` {{ if .GlobalArgs }} # GLOBAL OPTIONS {{ range $v := .GlobalArgs }} {{ $v }}{{ end }} {{ end }}{{ if .Commands }} # COMMANDS {{ range $v := .Commands }} {{ $v }}{{ end }}{{ end }}The hash algorithm to use. : must be one of: **sha1** (or sha) : SHA-1 produces a 160-bit hash value **sha224** : SHA-224 produces a 224-bit hash value **sha256** (default) : SHA-256 produces a 256-bit hash value **sha384** : SHA-384 produces a 384-bit hash value **sha512** : SHA-512 produces a 512-bit hash value **sha512-224** : SHA-512/224 uses SHA-512 and truncates the output to 224 bits **sha512-256** : SHA-512/256 uses SHA-512 and truncates the output to 256 bits **md5** (requires --insecure) : MD5 produces a 128-bit hash value The "cty" (content type) Header Parameter is used by JWS applications to declare the media type of the secured content (the payload). This is intended for use by the application when more than one kind of object could be present in the JWS Payload; the application can use this value to disambiguate among the different kinds of objects that might be present. It will typically not be used by applications when the kind of object is already known. This parameter is ignored by JWS implementations; any processing of this parameter is performed by the JWS application. Use of is optional.**%s** shows the currently configured policy. ## EXAMPLES View the authority certificate issuance policy ''' $ step ca policy authority view ''' View a provisioner certificate issuance policy ''' $ step ca policy provisioner view --provisioner my_provisioner ''' View an ACME EAB certificate issuance policy by reference ''' $ step ca policy acme view --provisioner my_acme_provisioner --eab-key-reference my_reference ''' View an ACME EAB certificate issuance policy by EAB Key ID ''' $ step ca policy acme view --provisioner my_acme_provisioner --eab-key-id "lUOTGwvFQADjk8nxsVufbhyTOwrFmvO2" '''**step crypto key inspect** prints details of a public or a private key in a human readable format the public key corresponding to the given . ## POSITIONAL ARGUMENTS : Path to a public or private key. ## EXAMPLES Print details of the given key: ''' $ step crypto key inspect priv.pem ''' ## NOTES This command shows the raw parameters of the keys, it does not include headers that the marshaled version of the keys might have. For example, a marshaled version an EC public key will have 0x04 in the first byte to indicate the uncompressed form specified in section 4.3.6 of ANSI X9.62.**%s** removes a certificate issuance policy. ## EXAMPLES Remove the authority certificate issuance policy ''' $ step ca policy authority remove ''' Remove a provisioner certificate issuance policy ''' $ step ca policy provisioner remove --provisioner my_provisioner ''' Remove an ACME EAB certificate issuance policy by reference ''' $ step ca policy acme remove --provisioner my_acme_provisioner --eab-key-reference my_reference ''' Remove an ACME EAB certificate issuance policy by EAB Key ID ''' $ step ca policy acme remove --provisioner my_acme_provisioner --eab-key-id "lUOTGwvFQADjk8nxsVufbhyTOwrFmvO2" '''The hash algorithm to use on RSA PKCS #1 1.5 and RSA-PSS signatures. : must be one of: **sha1** (or sha) : SHA-1 produces a 160-bit hash value **sha224** : SHA-224 produces a 224-bit hash value **sha256** (default) : SHA-256 produces a 256-bit hash value **sha384** : SHA-384 produces a 384-bit hash value **sha512** : SHA-512 produces a 512-bit hash value **sha512-224** : SHA-512/224 uses SHA-512 and truncates the output to 224 bits **sha512-256** : SHA-512/256 uses SHA-512 and truncates the output to 256 bits **md5** : MD5 produces a 128-bit hash value **step certificate format** prints the certificate or CSR in a different format. Only 2 formats are currently supported; PEM and ASN.1 DER. This tool will convert a certificate or CSR in one format to the other. ## POSITIONAL ARGUMENTS : Path to a certificate or CSR file. ## EXIT CODES This command returns 0 on success and \>0 if any error occurs. ## EXAMPLES Convert PEM format to DER: ''' $ step certificate format foo.pem ''' Convert DER format to PEM: ''' $ step certificate format foo.der ''' Convert PEM format to DER and write to disk: ''' $ step certificate format foo.pem --out foo.der ''' **step crypto key verify** verifies the signature of a file or a message. ## POSITIONAL ARGUMENTS : File to verify. ## EXAMPLES Verify a file with its signature: ''' s step crypto key verify --key pub.key --sig "base64...=" file.txt true ''' Verify a file using the PKCS #1 v1.5: ''' $ step crypto key verify --key rsa.pub --sig "base64...=" file.txt ''' Verify a file using the PKCS #1 v1.5 and SHA512: ''' $ step crypto key verify --key rsa.pub --alg sha512 --sig "base64...=" file.txt ''' Verify a file using the RSA-PSS scheme: ''' $ step crypto key verify --key rsa.pub --pss --sig "base64...=" file.txt '''**step ca acme eab list** lists all ACME External Account Binding (EAB) Keys. Output will go to stdout by default. If many EAB keys are stored in the ACME provisioner, output will be sent to $PAGER (when set). ## POSITIONAL ARGUMENTS : Name of the provisioner to list ACME EAB keys for : (Optional) reference (from external system) for the key to be listed ## EXAMPLES List all ACME External Account Binding Keys: ''' $ step ca acme eab list my_acme_provisioner ''' Show ACME External Account Binding Key with specific reference: ''' $ step ca acme eab list my_acme_provisioner my_reference ''' **step ssh rekey** command generates a new SSH Certificate and key using an existing SSH Certificate and key pair to authenticate and templatize the request. It writes the new certificate to disk - either overwriting or using new files when the **--out**= flag is used. ## POSITIONAL ARGUMENTS : The ssh certificate to renew. : The ssh certificate private key. ## EXAMPLES Rekey an ssh certificate: ''' $ step ssh rekey id_ecdsa-cert.pub id_ecdsa ''' Rekey an ssh certificate creating id2_ecdsa, id2_ecdsa.pub, and id2_ecdsa-cert.pub: ''' $ step ssh rekey --out id2_ecdsa id_ecdsa-cert.pub id_ecdsa '''**step ca certificate** [**--token**=] [**--issuer**=] [**--provisioner-password-file**=] [**--not-before**=] [**--not-after**=] [**--san**=] [**--set**=] [**--set-file**=] [**--acme**=] [**--standalone**] [**--webroot**=] [**--contact**=] [**--http-listen**=
] [**--kty**=] [**--curve**=] [**--size**=] [**--console**] [**--x5c-cert**=] [**--x5c-key**=] [**--k8ssa-token-path**=] [**--offline**] [**--password-file**] [**--ca-url**=] [**--root**=] [**--context**=] (grpc/gcp/transport_security_common.proto