CSRs), creating self-signed certificates (e.g., for use as a root certificate authority), generating leaf or intermediate CA certificate by signing a CSR, validating certificates, renewing certificates, generating certificate bundles, and key-wrapping of private keys. ## EXAMPLES Create a root certificate and private key using the default parameters (EC P-256 curve): ''' $ step certificate create foo foo.crt foo.key --profile root-ca ''' Create a leaf certificate and private key using the default parameters (EC P-256 curve): ''' $ step certificate create baz baz.crt baz.key --ca ./foo.crt --ca-key ./foo.key ''' Create a CSR and private key using the default parameters (EC P-256 curve): ''' $ step certificate create zap zap.csr zap.key --csr ''' Sign a CSR and generate a signed certificate: ''' $ step certificate sign zap.csr foo.crt foo.key ''' Inspect the contents of a certificate: ''' $ step certificate inspect ./baz.crt ''' Verify the signature of a certificate: ''' $ step certificate verify ./baz.crt --roots ./foo.crt ''' Lint the contents of a certificate to check for common errors and missing fields: ''' $ step certificate lint ./baz.crt ''' Bundle an end certificate with the issuing certificate: ''' $ step certificate bundle ./baz.crt ./foo.crt bundle.crt ''' Convert PEM format certificate to DER and write to disk. ''' $ step certificate format foo.pem --out foo.der ''' Extract the public key from a PEM encoded certificate: ''' $ step certificate key foo.crt ''' Install a root certificate in the system's default trust store: ''' $ step certificate install root-ca.crt ''' Uninstall a root certificate from the system's default trust store: ''' $ step certificate uninstall root-ca.crt '''abbradiogrouparamainavalueaccept-charsetbodyaccesskeygenobrbasefontimeupdateviacacheightmlabelooptgroupatternoembedetailsampictureversedfnoframesetdirnameterowspanomoduleacronymalignmarkbdialogallowpaymentrequestrikeytypeallowusermediagroupingaltfooterubyasyncanvasidefaultitleaudioncancelautofocusandboxmplaceholderautoplaysinlinebdoncanplaythrough1bgsoundisabledivarbigblinkindraggablegendblockquotebuttonabortcitempropenoncecolgrouplaintextrackcolorcolspannotation-xmlcommandcontrolsectionblurcoordshapecrossoriginslotranslatefacenterfieldsetfigcaptionafterprintegrityfigurequiredforeignObjectforeignobjectformactionautocompleteerrorformenctypemustmatchallengeformmethodformnovalidatetimeformtargethiddenoscripthigh3hreflanghttp-equivideonclickiframeimageimglyph4isindexismappletitemtypemarqueematheadersmallowfullscreenmaxlength5minlength6mtextareadonlymultiplemutedoncloseamlessortedoncontextmenuitemidoncopyoncuechangeoncutondblclickondragendondragenterondragexitemreferrerpolicyondragleaveondragoverondragstarticleondropzonemptiedondurationchangeonendedonerroronfocusourceonhashchangeoninputmodeloninvalidonkeydownloadonkeypresspaceronkeyupreloadonlanguagechangeonloadeddatalistingonloadedmetadatabindexonloadendonloadstartonmessageerroronmousedownonmouseenteronmouseleaveonmousemoveonmouseoutputonmouseoveronmouseupromptonmousewheelonofflineononlineonpagehidesclassearch2onpageshowbronpastepublicontenteditableonpausemaponplayingonpopstateonprogresspellcheckedonratechangeonrejectionhandledonresetonresizesrcdocodeferonscrollonsecuritypolicyviolationauxclickonseekedonseekingonselectedonshowidthgrouposteronsortableonstalledonstorageonsubmitemscopedonsuspendontoggleonunhandledrejectionbeforeprintonunloadonvolumechangeonwaitingonwheeloptimumanifestrongoptionbeforeunloaddressrclangsrcsetstylesummarysupsvgsystemplateworkertypewrap**step certificate verify** executes the certificate path validation algorithm for x.509 certificates defined in RFC 5280. If the certificate is valid this command will return '0'. If validation fails, or if an error occurs, this command will produce a non-zero return value. ## POSITIONAL ARGUMENTS : The path to a certificate to validate. ## EXIT CODES This command returns 0 on success and \>0 if any error occurs. ## EXAMPLES Verify a certificate using your operating system's default root certificate bundle: ''' $ step certificate verify ./certificate.crt ''' Verify a remote certificate using your operating system's default root certificate bundle: ''' $ step certificate verify https://smallstep.com ''' Verify a certificate using a custom root certificate for path validation: ''' $ step certificate verify ./certificate.crt --roots ./root-certificate.crt ''' Verify a certificate using a custom list of root certificates for path validation: ''' $ step certificate verify ./certificate.crt \ --roots "./root-certificate.crt,./root-certificate2.crt,/root-certificate3.crt" ''' Verify a certificate using a custom directory of root certificates for path validation: ''' $ step certificate verify ./certificate.crt --roots ./root-certificates/ ''' Verify a certificate including OCSP and CRL using CRL and OCSP defined in the certificate ''' $ step certificate verify ./certificate.crt --verify-crl --verify-ocsp ''' Verify a certificate including OCSP and specifying an OCSP server ''' $ step certificate verify ./certificate.crt --verify-ocsp --ocsp-endpoint http://acme.com/ocsp ''' Verify a certificate including CRL and specificing a CRL server and providing the issuing CA certificate ''' $ step certificate verify ./certificate.crt --issuing-ca ./issuing_ca.pem --verify-crl --crl-endpoint http://acme.com/crl '''**step crypto key fingerprint** prints the fingerprint of a public key. The fingerprint of a private key will be only based on the public part of the key. By default the fingerprint calculated is the SHA-256 hash with raw Base64 encoding of the ASN.1 BIT STRING of the subjectPublicKey defined in RFC 5280. Using the **--pkix** flag, the fingerprint is calculated from the PKIX encoding of the public key. Using the **--ssh** flag, the fingerprint is calculated from the SSH encoding. Note that for certificates and certificate request, the fingerprint would be based only on the public key embedded in the certificate. To get the certificate fingerprint use the appropriate commands: ''' $ step certificate fingerprint $ step ssh fingerprint ''' ## POSITIONAL ARGUMENTS : Path to a public, private key, certificate (X.509 and SSH) or certificate request. ## EXAMPLES Print the fingerprint of a public key: ''' $ step crypto key fingerprint pub.pem ''' Print the fingerprint of the PKIX format of public key: ''' $ step crypto key fingerprint --pkix pub.pem ''' Print the fingerprint of the public key using the SSH marshaling: ''' $ step crypto key fingerprint --ssh pub.pem ''' Print the fingerprint of the key embedded in a certificate using the SHA-1 hash: ''' $ step crypto key fingerprint --sha1 cert.pem ''' Print the same fingerprint for a public key, a private key and a certificate all of with the same public key. ''' $ step crypto key fingerprint id_ed25519 $ step crypto key fingerprint id_ed25519.pub $ step crypto key fingerprint id_ed25519-cert.pub ''' Print the fingerprint of the key using an external tool: ''' $ step crypto key fingerprint --raw pub.pem | md5sum ''' Print the fingerprint of the public key of an encrypted private key: ''' $ step crypto key fingerprint --password-file pass.txt priv.pem '''The cryptographic algorithm used to encrypt or determine the value of the content encryption key (CEK). Algorithms are case-sensitive strings defined in RFC7518. The selected algorithm must be compatible with the key type. This flag is optional. If not specified, the **"alg"** member of the JWK is used. If the JWK has no **"alg"** member then a default is selected depending on the JWK key type. If the JWK has an **"alg"** member and the **--alg** flag is passed the two options must match unless the **--subtle** flag is also passed. : is a case-sensitive string and must be one of: **RSA1_5** : RSAES-PKCS1-v1_5 **RSA-OAEP** : RSAES OAEP using default parameters **RSA-OAEP-256** (default for RSA keys) : RSAES OAEP using SHA-256 and MGF1 with SHA-256 **A128KW** : AES Key Wrap with default initial value using 128-bit key **A192KW** : AES Key Wrap with default initial value using 192-bit key **A256KW** : AES Key Wrap with default initial value using 256-bit key **dir** : Direct use of a shared symmetric key as the content encryption key (CEK) **ECDH-ES** (default for EC keys) : Elliptic Curve Diffie-Hellman Ephemeral Static key agreement **ECDH-ES+A128KW** : ECDH-ES using Concat KDF and CEK wrapped with "A128KW **ECDH-ES+A192KW** : ECDH-ES using Concat KDF and CEK wrapped with "A192KW **ECDH-ES+A256KW** : ECDH-ES using Concat KDF and CEK wrapped with "A256KW **A128GCMKW** : Key wrapping with AES GCM using 128-bit key **A192GCMKW** : Key wrapping with AES GCM using 192-bit key **A256GCMKW** (default for oct keys) : Key wrapping with AES GCM using 256-bit key **PBES2-HS256+A128KW** : PBES2 with HMAC SHA-256 and "A128KW" wrapping **PBES2-HS384+A192KW** : PBES2 with HMAC SHA-256 and "A192KW" wrapping **PBES2-HS512+A256KW** : PBES2 with HMAC SHA-256 and "A256KW" wrapping