Go to file
Herman Slatman 4dd9f4ca30
Merge pull request #1015 from smallstep/herman/fix-go-tpm-v0.9.0
Upgrade `go-tpm` to v0.9.0
2023-09-19 21:53:57 +02:00
.github Merge pull request #913 from smallstep/carl/update-reference-manifest 2023-06-14 16:11:31 -07:00
autocomplete Spelling 2022-10-06 18:25:44 -04:00
cmd/step PEM format check should query whole file for expected header (#1006) 2023-08-17 15:44:44 -07:00
command PEM format check should query whole file for expected header (#1006) 2023-08-17 15:44:44 -07:00
debian Add completion command 2022-02-10 01:26:12 +03:00
docker Assume yes on apt upgrade to avoid non-interactive prompting 2023-06-13 15:01:19 -07:00
docs Add commands for managing policies 2022-04-25 16:26:17 +02:00
exec nolinlint 2022-08-18 19:22:46 -07:00
flags Add `--certificate` flag to `step ssh fingerprint` command 2023-04-12 15:39:17 +02:00
integration more fixup 2023-04-11 15:25:10 -07:00
internal Prevent shelling out to KMS plugin for `softkms` 2023-08-09 21:24:12 +02:00
make Inline the common.mk file into our Makefile since it's not used anywhere else 2023-03-20 20:42:18 -07:00
pkg/bcrypt_pbkdf Remove blackfriday package 2023-04-11 10:22:37 -07:00
powershell Update download URLs 2023-05-16 20:02:24 -07:00
scripts Add completion command 2022-02-10 01:26:12 +03:00
systemd Only restart services which are actually running 2022-12-01 15:41:08 +01:00
token Detect OIDC tokens issued by Kubernetes (#953) 2023-06-07 09:59:22 -07:00
utils Merge branch 'master' into herman/fix-go-tpm-v0.9.0 2023-09-19 21:44:02 +02:00
.VERSION Added version operability for `git archive` | updated zsh-completion 2019-02-21 14:45:41 -08:00
.gitattributes Use git export-subst for versioning when not in git repo. 2019-02-19 13:11:08 -08:00
.gitignore Add go.work and go.work.sum to .gitignore 2022-08-31 12:51:10 -07:00
.gitleaksignore [action] Update workflows 2022-09-23 23:26:11 -07:00
.goreleaser.yml Merge branch 'master' into unversioned-releases 2023-06-14 18:18:30 -07:00
CHANGELOG.md update crypto and certificates packages and update CHANGELOG (#1007) 2023-08-17 16:25:40 -07:00
LICENSE Add full version of the license. 2020-05-26 12:22:00 -07:00
Makefile Inline the common.mk file into our Makefile since it's not used anywhere else 2023-03-20 20:42:18 -07:00
README.md Spelling 2022-10-06 18:25:44 -04:00
SECURITY.md Create SECURITY.md 2022-07-29 15:16:22 -07:00
cosign.pub [action] goreleaser cosign new key pair 2021-08-30 20:39:44 -07:00
go.mod Merge branch 'master' into herman/fix-go-tpm-v0.9.0 2023-09-19 21:44:02 +02:00
go.sum Upgrade to `go-tpm` v0.9.0 and update imports 2023-09-19 21:36:38 +02:00


Step CLI

GitHub release Go Report Card Build Status License CLA assistant

GitHub stars Twitter followers

step is an easy-to-use CLI tool for building, operating, and automating Public Key Infrastructure (PKI) systems and workflows. It's the client counterpart to the step-ca online Certificate Authority (CA). You can use it for many common crypto and X.509 operations—either independently, or with an online CA.

Questions? Ask us on GitHub Discussions or Discord.

Website | Documentation | Installation | Basic Crypto Operations | Contributor's Guide


Step CLI's command groups illustrate its wide-ranging uses:

  • step certificate: Work with X.509 (TLS/HTTPS) certificates.

    • Create, revoke, validate, lint, and bundle X.509 certificates.
    • Install (and remove) X.509 certificates into your system's (and browser's) trust store.
    • Validate certificate deployment and renewal status for automation
    • Create key pairs (RSA, ECDSA, EdDSA) and certificate signing requests (CSRs)
    • Sign CSRs
    • Create RFC5280 and CA/Browser Forum-compliant certificates that work for TLS and HTTPS
    • Create CA certificates (root and intermediate signing certificates)
    • Create self-signed & CA-signed certificates
    • Inspect and lint certificates on disk or in use by a remote server
    • Install root certificates so your CA is trusted by default (issue development certificates that work in browsers)
  • step ca: Administer and use a step-ca server, or any ACMEv2 (RFC8555) compliant CA server. ACME is the protocol used by Let's Encrypt to automate the issuance of HTTPS certificates.

  • step crypto: A general-purpose crypto toolkit

  • step oauth: Add an OAuth 2.0 single sign-on flow to any CLI application.

    • Supports OAuth authorization code, out-of-band (OOB), JWT bearer, and refresh token flows
    • Get OAuth access tokens and OIDC identity tokens at the command line from any provider.
    • Verify OIDC identity tokens (step crypto jwt verify)
  • step ssh: Create and manage SSH certificates (requires an online or offline step-ca instance)

    • Generate SSH user and host key pairs and short-lived certificates
    • Add and remove certificates to the SSH agent
    • Inspect SSH certificates
    • Login and use single sign-on SSH


See our installation docs here.


Here's a quick example, combining step oauth and step crypto to get and verify the signature of a Google OAuth OIDC token:

Animated terminal showing step in practice


Further Reading