CertTools Logo
CertTools

step CLI Commands

Modern PKI toolkit from Smallstep for certificate management, internal CAs, and zero-trust infrastructure.

← Back to All References

Certificate Inspection

Inspect local certificate

View certificate details in human-readable format:

step certificate inspect cert.pem

Inspect remote certificate

Fetch and inspect certificate from HTTPS server:

step certificate inspect https://example.com

View certificate chain

Show full certificate chain from remote server:

step certificate inspect https://example.com --bundle

JSON output

Get certificate details in JSON format for parsing:

step certificate inspect cert.pem --format json

Check certificate validity

Verify certificate is currently valid:

step certificate verify cert.pem --roots root-ca.pem

Certificate Creation

Create self-signed certificate

Generate self-signed cert for development:

step certificate create example.com example.crt example.key \
  --profile self-signed \
  --subtle

Create certificate with SANs

Include multiple subject alternative names:

step certificate create example.com example.crt example.key \
  --profile self-signed \
  --san "www.example.com" \
  --san "api.example.com" \
  --subtle

Create with custom validity

Set custom expiration period:

step certificate create example.com example.crt example.key \
  --profile self-signed \
  --not-after 8760h \
  --subtle

Create certificate from CSR

Sign a certificate signing request:

step certificate sign request.csr ca.crt ca.key \
  --not-after 8760h

Certificate Authority Operations

Initialize CA

Bootstrap a new certificate authority:

step ca init \
  --name "Internal CA" \
  --dns ca.internal.example.com \
  --address :443 \
  --provisioner admin

Bootstrap CA client

Configure client to trust CA:

step ca bootstrap --ca-url https://ca.internal.example.com

Request certificate from CA

Get certificate from internal CA:

step ca certificate service.internal.example.com \
  service.crt service.key

Renew certificate from CA

Renew an existing certificate:

step ca renew service.crt service.key

Revoke certificate

Revoke an issued certificate:

step ca revoke --cert service.crt --key service.key

SSH Certificate Operations

Create SSH user certificate

Issue SSH certificate for user authentication:

step ssh certificate [email protected] id_ecdsa.pub \
  --principal user

Create SSH host certificate

Issue certificate for SSH host key:

step ssh certificate server.example.com ssh_host_ecdsa_key.pub \
  --host

Inspect SSH certificate

View SSH certificate details:

step ssh inspect id_ecdsa-cert.pub

Configure SSH to use certificates

Set up SSH CA trust:

# On SSH server, add to /etc/ssh/sshd_config:
step ssh config --host --roots > /etc/ssh/ca.pub
# Then add: TrustedUserCAKeys /etc/ssh/ca.pub

Cryptographic Key Management

Generate key pair

Create new ECDSA key pair:

step crypto keypair key.pub key.priv --kty EC --curve P-256

Generate RSA key pair

Create RSA key with custom size:

step crypto keypair key.pub key.priv --kty RSA --size 4096

Change key format

Convert between key formats (PEM, DER, etc.):

step crypto change-pass key.priv --out key-new.priv

Generate JWK

Create JSON Web Key:

step crypto jwk create pub.json key.json --kty EC

ACME Protocol (Automated Certificate Management)

Request certificate via ACME

Get certificate from ACME server:

step ca certificate example.com example.crt example.key \
  --provisioner acme

ACME with HTTP-01 challenge

Use HTTP challenge for domain validation:

step ca certificate example.com example.crt example.key \
  --provisioner acme \
  --challenge http-01

ACME with DNS-01 challenge

Use DNS challenge for wildcard certificates:

step ca certificate "*.example.com" wildcard.crt wildcard.key \
  --provisioner acme \
  --challenge dns-01

OAuth & OpenID Connect

Initiate OAuth flow

Start OAuth2 device flow for authentication:

step oauth --provider google

Get access token

Retrieve OAuth access token:

step oauth --provider google \
  --client-id YOUR_CLIENT_ID \
  --client-secret YOUR_SECRET \
  --scope "openid email profile"

Verify JWT token

Validate and inspect JWT:

step crypto jwt verify --jwks https://example.com/.well-known/jwks.json token.jwt

Certificate Automation & Renewal

Automatic renewal daemon

Run daemon to auto-renew certificates:

step ca renew service.crt service.key \
  --daemon \
  --exec "systemctl reload nginx"

Renew before expiration

Renew certificate when 2/3 of lifetime has passed:

step ca renew --force service.crt service.key

Custom renewal schedule

Set custom renewal timing:

# Via cron
0 0 * * * step ca renew --force /path/to/cert.crt /path/to/key.key

Health check endpoint

Check CA health status:

step ca health

Important Notes

Installation:

Install via: brew install step (macOS), or download from github.com/smallstep/cli

Modern Alternative:

step CLI is a modern, user-friendly alternative to OpenSSL for many certificate operations. It has clearer commands and better defaults.

CA Setup:

For production CA deployments, consider step-ca (the server component) rather than just the CLI. It provides online CA operations.

Zero-Trust:

step is designed for zero-trust infrastructure with short-lived certificates (hours/days, not years). Plan for automated renewal.

SSH Certificates:

SSH certificate support eliminates need for managing authorized_keys files - centralized trust via CA.

ACME Support:

step-ca provides ACME protocol support, making it compatible with certbot, Caddy, and other ACME clients.

Documentation:

Official docs: smallstep.com/docs/step-cli - comprehensive guides for all use cases.

See Also

CFSSL Commands
CloudFlare PKI toolkit
OpenSSL Commands
Core OpenSSL operations
Certificate Inspector
Inspect and analyze certificates
certbot Commands
Let's Encrypt automation