e a renew token and use it in a renew after expiry request:
'''
$ TOKEN=$(step ca token --x5c-cert internal.crt --x5c-key internal.key --renew internal.example.com)
$ curl -X POST -H "Authorization: Bearer $TOKEN" https://ca.example.com/1.0/renew
'''

Generate a JWK provisioner token using a key in a YubiKey:
'''
$ step ca token --kms yubikey:pin-value=123456 --key yubikey:slot-id=82 internal.example.com
'''

Generate an X5C provisioner token using a certificate in a YubiKey. Note that a
YubiKey does not support storing a certificate bundle. To make it work, you must
add the intermediate and the root in the provisioner configuration:
'''
$ step ca token --kms yubikey:pin-value=123456 \
  --x5c-cert yubikey:slot-id=82 --x5c-key yubikey:slot-id=82 \
  internal.example.com
'''

Generate a token with custom data in the "user" claim. The example below can be
accessed in a template as **.Token.user.field**, rendering to the string
"value".

This is distinct from **.Insecure.User**: any attributes set using this option
are added to a claim named "user" in the signed JWT produced by this command.
This data may therefore be considered trusted (insofar as the token itself is
trusted).
'''
$ step ca token --set field=value internal.example.com
'''