an be used in case www.example.com is not allowed as a DNS SAN, but is allowed to be used in the Common Name. ''' $ step ca policy authority x509 allow cn www.example.com ''' Remove www.example.com from allowed Common Names in X.509 certificates on authority level. ''' $ step ca policy authority x509 allow cn www.example.com --remove ''' Deny "My Bad CA Name" as Common Name in X.509 certificates on authority level ''' $ step ca policy authority x509 deny cn "My Bad CA Name" '''**step certificate key** prints the public key embedded in a certificate or a certificate signing request. If is a certificate bundle, only the first block will be taken into account. The command will print a public or a decrypted private key if contains only a key. ## POSITIONAL ARGUMENTS : Path to a certificate or certificate signing request (CSR). ## EXAMPLES Get the public key of a certificate: ''' $ step certificate key certificate.crt -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEio9DLyuglMxakS3w00DUKdGbeXXB 2Mfg6tVofeXYan9RbvftZufiypIAVqGZqO7CR9EbkoyHb/7GcKQa5HZ9rA== -----END PUBLIC KEY----- ''' Get the public key of a CSR and save it to a file: ''' $ step certificate key certificate.csr --out key.pem '''**step crl inspect** validates and prints the details of a certificate revocation list (CRL). A CRL is considered valid if its signature is valid, the CA is not expired, and the next update time is in the future. ## POSITIONAL ARGUMENTS : The file or URL where the CRL is. If <--from> is passed it will inspect the certificate and extract the CRL distribution point from. ## EXAMPLES Inspect a CRL: ''' $ step crl inspect --insecure http://ca.example.com/crls/exampleca.crl ''' Inspect and validate a CRL in a file: ''' $ step crl inspect --ca ca.crt exampleca.crl ''' Format the CRL in JSON: ''' $ step crl inspect --insecure --format json exampleca.crl ''' Inspect the CRL from the CRL distribution point of a given url: ''' $ step crl inspect --from https://www.google.com '''-----BEGIN CERTIFICATE----- MIICJDCCAamgAwIBAgIUQsDCuyxyfFxeq/bxpm8frF15hzcwCgYIKoZIzj0EAwMw UTEtMCsGA1UEAwwkQXBwbGUgRW50ZXJwcmlzZSBBdHRlc3RhdGlvbiBSb290IENB MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0yMjAyMTYxOTAx MjRaFw00NzAyMjAwMDAwMDBaMFExLTArBgNVBAMMJEFwcGxlIEVudGVycHJpc2Ug QXR0ZXN0YXRpb24gUm9vdCBDQTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UE BhMCVVMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT6Jigq+Ps9Q4CoT8t8q+UnOe2p oT9nRaUfGhBTbgvqSGXPjVkbYlIWYO+1zPk2Sz9hQ5ozzmLrPmTBgEWRcHjA2/y7 7GEicps9wn2tj+G89l3INNDKETdxSPPIZpPj8VmjQjBAMA8GA1UdEwEB/wQFMAMB Af8wHQYDVR0OBBYEFPNqTQGd8muBpV5du+UIbVbi+d66MA4GA1UdDwEB/wQEAwIB BjAKBggqhkjOPQQDAwNpADBmAjEA1xpWmTLSpr1VH4f8Ypk8f3jMUKYz4QPG8mL5 8m9sX/b2+eXpTv2pH4RZgJjucnbcAjEA4ZSB6S45FlPuS/u4pTnzoz632rA+xW/T ZwFEh9bhKjJ+5VQ9/Do1os0u3LEkgN/r -----END CERTIFICATE-----Match exec "step ssh check-host{{- if .User.Context }} --context {{ .User.Context }}{{- end }} %h" {{- if .User.User }} User {{.User.User}} {{- end }} {{- if or .User.GOOS "none" | eq "windows" }} UserKnownHostsFile "{{.User.StepPath}}\ssh\known_hosts" ProxyCommand C:\Windows\System32\cmd.exe /c step ssh proxycommand{{- if .User.Context }} --context {{ .User.Context }}{{- end }}{{- if .User.Console}} --console {{- end }}{{- if .User.Provisioner }} --provisioner {{ .User.Provisioner }}{{- end }} %r %h %p {{- else }} UserKnownHostsFile "{{.User.StepPath}}/ssh/known_hosts" ProxyCommand step ssh proxycommand{{- if .User.Context }} --context {{ .User.Context }}{{- end }}{{- if .User.Console}} --console {{- end }}{{- if .User.Provisioner }} --provisioner {{ .User.Provisioner }}{{- end }} %r %h %p {{- end }} **step crypto jws verify** reads a JWS data structure from STDIN; checks that the algorithm are in agreement with expectations; verifies the digital signature or message authentication code as appropriate; and outputs the decoded payload of the JWS on STDOUT. If verification fails a non-zero failure code is returned. If verification succeeds the command returns 0. For a JWS to be verified successfully: * The JWS must be well formed (no errors during deserialization) * The must match the **"alg"** member in the JWS header * The must match the **"kid"** member in the JWS header (if both are present) and must match the **"kid"** in the JWK or the **"kid"** of one of the JWKs in JWKS * The JWS signature must be successfully verified For examples, see **step help crypto jws**.The of provisioner to create. : is a case-insensitive string and must be one of: **JWK** : Uses an JWK key pair to sign provisioning tokens. (default) **OIDC** : Uses an OpenID Connect provider to sign provisioning tokens. **AWS** : Uses Amazon AWS instance identity documents. **GCP** : Use Google instance identity tokens. **Azure** : Uses Microsoft Azure identity tokens. **ACME** : Uses the ACME protocol to create certificates. **X5C** : Uses an X509 certificate / private key pair to sign provisioning tokens. **K8SSA** : Uses Kubernetes Service Account tokens. **SSHPOP** : Uses an SSH certificate / private key pair to sign provisioning tokens. **SCEP** : Uses the SCEP protocol to create certificates. **Nebula** : Uses a Nebula certificate / private key pair to sign provisioning tokens. **step ssh logout** commands removes a key from the ssh-agent. By default it only removes certificate keys signed by step-certificates, but the flag **--all** can be used to remove all keys with a given subject or all keys. ## POSITIONAL ARGUMENTS : The certificate identity or comment in the key. ## EXAMPLES Remove all identities signed by your SSH CA: ''' $ step ssh logout ''' Remove the certificate mariano@work from the SSH agent: ''' $ step ssh logout mariano@work ''' Remove the all the keys and certificates for mariano@work from the SSH agent: ''' $ step ssh logout --all mariano@work ''' Remove the key mariano@work from the agent listening in /tmp/ssh/agent: ''' $ SSH_AUTH_SOCK=/tmp/ssh/agent step ssh logout mariano@work ''' Remove all the keys stored in the SSH agent: ''' $ step ssh logout --all '''**step crypto key sign** generates a signature of the digest of a file or a message using an asymmetric key. For an RSA key, the resulting signature is either a PKCS #1 v1.5 or PSS signature. For an (EC)DSA key, it is a DER-serialized, ASN.1 signature structure. ## POSITIONAL ARGUMENTS : File to sign ## EXAMPLES Sign a file using the default options: ''' $ step crypto key sign --key priv.key file.txt ''' Sign a message using the default options: ''' $ echo "message to be signed" | step crypto key sign --key priv.key ''' Sign a file using SHA512 as a digest algorithm: ''' $ step crypto key sign --key priv.key --alg sha512 file.txt ''' Sign a file using the PKCS #1 v1.5: ''' $ step crypto key sign --key rsa.key file.txt ''' Sign a file using the RSA-PSS scheme: ''' $ step crypto key sign --key rsa.key --pss file.txt '''**step ca provisioner webhook update** updates a webhook attached to a provisioner. ## POSITIONAL ARGUMENTS : The name of the provisioner. : The name of the webhook. ## EXAMPLES Change a webhook's url: ''' step ca provisioner webhook update my_provisioner my_webhook --url https://example.com ''' Configure a webhook to send a bearer token to the server: ''' step ca provisioner webhook update my_provisioner my_webhook --bearer-token-file token.txt ''' Change the password sent to the webhook with basic authentication: ''' step ca provisioner webhook update my_provisioner my_webhook --basic-auth-password-file my_pass.txt ''' Configure the webhook to be called only when signing x509 certificates, not SSH certificates: ''' step ca provisioner webhook update my_provisioner my_webhook --cert-type X509 '''**%s** command manages principals in SSH policies ## EXAMPLES Allow all principals in SSH host certificates on authority level ''' $ step ca policy authority ssh host allow principal "*" ''' Allow all principals in SSH user certificates on authority level ''' $ step ca policy authority ssh user allow principal "*" ''' Allow principal machine-name in SSH host certificates on provisioner level ''' $ step ca policy provisioner ssh host allow principal machine-name --provisioner my_ssh_host_provisioner ''' Allow principal user in SSH user certificates on provisioner level ''' $ step ca policy provisioner ssh host allow principal user --provisioner my_ssh_user_provisioner ''' Deny principal root in SSH user certificates on provisioner level ''' $ step ca policy provisioner ssh host deny principal root --provisioner my_ssh_user_provisioner '''**step crypto change-pass** extracts and decrypts the private key from a file and encrypts and serializes the key to disk using a new password. ## POSITIONAL ARGUMENTS : The PEM or JWK file with the encrypted key. ## EXAMPLES Change password for PEM formatted key: ''' $ step crypto change-pass key.pem ''' Remove password for PEM formatted key: ''' $ step crypto change-pass key.pem --no-password --insecure ''' Change password for PEM formatted key and write encrypted key to different file: ''' $ step crypto change-pass key.pem --out new-key.pem ''' Change password for JWK formatted key: ''' $ step crypto change-pass key.jwk ''' Removed password for JWK formatted key: ''' $ step crypto change-pass key.jwk --no-password --insecure ''' Change password for JWK formatted key: ''' $ step crypto change-pass key.jwk --out new-key.jwk '''**step ca root** downloads and validates the root certificate from the certificate authority. ## POSITIONAL ARGUMENTS : File to write root certificate (PEM format) ## EXAMPLES Get the root fingerprint in the CA: ''' $ step certificate fingerprint /path/to/root_ca.crt 0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3 ''' Download the root certificate from the configured certificate authority: ''' $ step ca root root_ca.crt \ --fingerprint 0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3 ''' Download the root certificate using a given certificate authority: ''' $ step ca root root_ca.crt \ --ca-url https://ca.smallstep.com:9000 \ --fingerprint 0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3 ''' Print the root certificate using the flags set by : ''' $ step ca root ''' !google/protobuf/go_features.proto