step ca provisioner add
Name
step ca provisioner add -- add a provisioner
Usage
step ca provisioner add <name> --type=JWK [--public-key=<file>]
[--private-key=<file>] [--create] [--password-file=<file>]
[--admin-cert=<file>] [--admin-key=<file>]
[--admin-subject=<subject>] [--admin-provisioner=<name>] [--admin-password-file=<file>]
[--ca-url=<uri>] [--root=<file>] [--context=<name>] [--ca-config=<file>]
ACME
step ca provisioner add <name> --type=ACME
[--force-cn] [--require-eab] [--challenge=<challenge>]
[--attestation-format=<format>] [--attestation-roots=<file>]
[--admin-cert=<file>] [--admin-key=<file>]
[--admin-subject=<subject>] [--admin-provisioner=<name>] [--admin-password-file=<file>]
[--ca-url=<uri>] [--root=<file>] [--context=<name>] [--ca-config=<file>]
OIDC
step ca provisioner add <name> --type=OIDC
[--client-id=<id>] [--client-secret=<secret>]
[--configuration-endpoint=<url>] [--domain=<domain>]
[--admin=<email>]...
[--admin-cert=<file>] [--admin-key=<file>]
[--admin-subject=<subject>] [--admin-provisioner=<name>] [--admin-password-file=<file>]
[--ca-url=<uri>] [--root=<file>] [--context=<name>] [--ca-config=<file>]
X5C
step ca provisioner add <name> --type=X5C --x5c-roots=<file>
[--admin-cert=<file>] [--admin-key=<file>]
[--admin-subject=<subject>] [--admin-provisioner=<name>] [--admin-password-file=<file>]
[--ca-url=<uri>] [--root=<file>] [--context=<name>] [--ca-config=<file>]
SSHPOP
step ca provisioner add <name> --type=SSHPOP
[--admin-cert=<file>] [--admin-key=<file>]
[--admin-subject=<subject>] [--admin-provisioner=<name>] [--admin-password-file=<file>]
[--ca-url=<uri>] [--root=<file>] [--context=<name>] [--ca-config=<file>]
Nebula
step ca provisioner add <name> --type=Nebula --nebula-root=<file>
[--admin-cert=<file>] [--admin-key=<file>]
[--admin-subject=<subject>] [--admin-provisioner=<name>] [--admin-password-file=<file>]
[--ca-url=<uri>] [--root=<file>] [--context=<name>] [--ca-config=<file>]
K8SSA
step ca provisioner add <name> --type=K8SSA [--public-key=<file>]
[--admin-cert=<file>] [--admin-key=<file>]
[--admin-subject=<subject>] [--admin-provisioner=<name>] [--admin-password-file=<file>]
[--ca-url=<uri>] [--root=<file>] [--context=<name>] [--ca-config=<file>]
IID
step ca provisioner add <name> --type=[AWS|Azure|GCP]
[--aws-account=<id>] [--gcp-service-account=<name>] [--gcp-project=<name>]
[--azure-tenant=<id>] [--azure-resource-group=<name>]
[--azure-audience=<name>] [--azure-subscription-id=<id>]
[--azure-object-id=<id>] [--instance-age=<duration>] [--iid-roots=<file>]
[--disable-custom-sans] [--disable-trust-on-first-use]
[--admin-cert=<file>] [--admin-key=<file>]
[--admin-subject=<subject>] [--admin-provisioner=<name>] [--admin-password-file=<file>]
[--ca-url=<uri>] [--root=<file>] [--context=<name>] [--ca-config=<file>]
SCEP
step ca provisioner add <name> --type=SCEP [--force-cn] [--challenge=<challenge>]
[--capabilities=<capabilities>] [--include-root] [--exclude-intermediate]
[--min-public-key-length=<length>] [--encryption-algorithm-identifier=<id>]
[--scep-decrypter-certificate-file=<file>] [--scep-decrypter-key-file=<file>]
[--scep-decrypter-key-uri=<uri>] [--scep-decrypter-key-password-file=<file>]
[--admin-cert=<file>] [--admin-key=<file>] [--admin-subject=<subject>]
[--admin-provisioner=<name>] [--admin-password-file=<file>]
[--ca-url=<uri>] [--root=<file>] [--context=<name>] [--ca-config=<file>]
Description
step ca provisioner add adds a provisioner to the CA configuration.
Positional arguments
name
The name of the provisioner.
Options
--type=type
The type
of provisioner to create.
type
is a case-insensitive string and must be one of:
JWK Uses an JWK key pair to sign provisioning tokens. (default)
OIDC Uses an OpenID Connect provider to sign provisioning tokens.
AWS Uses Amazon AWS instance identity documents.
GCP Use Google instance identity tokens.
Azure Uses Microsoft Azure identity tokens.
ACME Uses the ACME protocol to create certificates.
X5C Uses an X509 certificate / private key pair to sign provisioning tokens.
K8SSA Uses Kubernetes Service Account tokens.
SSHPOP Uses an SSH certificate / private key pair to sign provisioning tokens.
SCEP Uses the SCEP protocol to create certificates.
Nebula Uses a Nebula certificate / private key pair to sign provisioning tokens.
--public-key=file
The file
containing the JWK public key. Or, a file
containing one or more PEM formatted keys, if used with the K8SSA provisioner.
--create Create the JWK key pair for the provisioner.
--private-key=file
The file
containing the JWK private key.
--client-id=id
The id
used to validate the audience in an OpenID Connect token.
--client-secret=secret
The secret
used to obtain the OpenID Connect tokens.
--listen-address=address
The callback address
used in the OpenID Connect flow (e.g. ":10000")
--configuration-endpoint=url
OpenID Connect configuration url
.
--admin=email
The email
of an admin user in an OpenID Connect provisioner, this user
will not have restrictions in the certificates to sign. Use the
'--admin' flag multiple times to configure multiple administrators.
--domain=domain
The domain
used to validate the email claim in an OpenID Connect provisioner.
Use the '--domain' flag multiple times to configure multiple domains.
--group=group
The group
list used to validate the groups extension in an OpenID Connect token.
Use the '--group' flag multiple times to configure multiple groups.
--tenant-id=tenant-id
The tenant-id
used to replace the templatized tenantid value in the OpenID Configuration.
--x5c-roots=file
, --x5c-root=file
PEM-formatted root certificate(s) file
used to validate the signature on X5C
provisioning tokens.
--nebula-root=file
Root certificate (chain) file
used to validate the signature on Nebula
provisioning tokens.
--require-eab Require (and enable) External Account Binding (EAB) for Account creation. If this flag is set to false, then disable EAB.
--force-cn Always set the common name in provisioned certificates.
--challenge=challenge
With a SCEP provisioner the challenge
is a shared secret between a
client and the CA.
With an ACME provisioner, this flag specifies the challenge
or challenges to
enable. Use the flag multiple times to configure multiple challenges.
The supported ACME challenges are:
http-01 With the HTTP challenge, the client in an ACME transaction proves its control over a domain name by proving that it can provision HTTP resources on a server accessible under that domain name.
dns-01 With the DNS challenge, the client can prove control of a domain by provisioning a TXT resource record containing a designated value for a specific validation domain name.
tls-alpn-01 With the TLS with Application-Layer Protocol Negotiation (TLS ALPN) challenge, the client can prove control over a domain name by configuring a TLS server to respond to specific connection attempts using the ALPN extension with identifying information.
device-attest-01 With the device attestation challenge, the client can prove control over a permanent identifier of a device by providing an attestation statement containing the identifier of the device.
If the provisioner has no challenges configured, http-01, dns-01 and tls-alpn-01 will be automatically enabled.
--attestation-format=format
Enable an ACME attestation statement format
in the provisioner. Use the flag
multiple times to configure multiple challenges.
The supported ACME attestation formats are:
apple With the apple format, Apple devices can use the device-attest-01 challenge to get a new certificate.
step With the step format, devices like YubiKeys that can generate an attestation certificate can use the device-attest-01 challenge to get a new certificate.
tpm With the tpm format, devices with TPMs can use the device-attest-01 challenge to get a new certificate.
--attestation-roots=file
PEM-formatted root certificate(s) file
used to validate the attestation
certificates. Use the flag multiple times to read from multiple files.
--capabilities=capabilities
The SCEP capabilities
to advertise
--include-root Include the CA root certificate in the SCEP CA certificate chain
--exclude-intermediate Exclude the CA intermediate certificate in the SCEP CA certificate chain
--min-public-key-length=length
The minimum public key length
of the SCEP RSA encryption key
--encryption-algorithm-identifier=id
The id
for the SCEP encryption algorithm to use.
Valid values are 0 - 4, inclusive. The values correspond to:
0: DES-CBC,
1: AES-128-CBC,
2: AES-256-CBC,
3: AES-128-GCM,
4: AES-256-GCM.
Defaults to DES-CBC (0) for legacy clients.
--scep-decrypter-certificate-file=file
The path to a PEM certificate file
for the SCEP decrypter
--scep-decrypter-key-file=file
The path to a PEM private key file
for the SCEP decrypter
--scep-decrypter-key-uri=uri
The key uri
for the SCEP decrypter. Should be a valid value for the KMS type used.
--scep-decrypter-key-password-file=file
The path to a file
containing the password for the SCEP decrypter key
--aws-account=id
The AWS account id
used to validate the identity documents.
Use the flag multiple times to configure multiple accounts.
--azure-tenant=id
The Microsoft Azure tenant id
used to validate the identity tokens.
--azure-resource-group=name
The Microsoft Azure resource group name
used to validate the identity tokens.
Use the flag multiple times to configure multiple resource groups
--azure-audience=name
The Microsoft Azure audience name
used to validate the identity tokens.
--azure-subscription-id=id
The Microsoft Azure subscription id
used to validate the identity tokens.
Use the flag multiple times to configure multiple subscription IDs
--azure-object-id=id
The Microsoft Azure AD object id
used to validate the identity tokens.
Use the flag multiple times to configure multiple object IDs
--gcp-service-account=email
The Google service account email
or id
used to validate the identity tokens.
Use the flag multiple times to configure multiple service accounts.
--gcp-project=id
The Google project id
used to validate the identity tokens.
Use the flag multiple times to configure multiple projects
--instance-age=duration
The maximum duration
to grant a certificate in AWS and GCP provisioners.
A duration
is sequence of decimal numbers, each with optional fraction and a
unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
"us" (or "µs"), "ms", "s", "m", "h".
--disable-custom-sans On cloud provisioners, if enabled only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR.
--disable-trust-on-first-use, --disable-tofu On cloud provisioners, if enabled multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted.
--x509-template=file
The x509 certificate template file
, a JSON representation of the certificate to create.
--x509-template-data=file
The x509 certificate template data file
, a JSON map of data that can be used by the certificate template.
--ssh-template=file
The x509 certificate template file
, a JSON representation of the certificate to create.
--ssh-template-data=file
The ssh certificate template data file
, a JSON map of data that can be used by the certificate template.
--x509-min-dur=duration
The minimum duration
for an x509 certificate generated by this provisioner.
Value must be a sequence of decimal numbers, each with optional fraction, and a
unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
"us" (or "µs"), "ms", "s", "m", "h".
--x509-max-dur=duration
The maximum duration
for an x509 certificate generated by this provisioner.
Value must be a sequence of decimal numbers, each with optional fraction, and a
unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
"us" (or "µs"), "ms", "s", "m", "h".
--x509-default-dur=duration
The default duration
for an x509 certificate generated by this provisioner.
Value must be a sequence of decimal numbers, each with optional fraction, and a
unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
"us" (or "µs"), "ms", "s", "m", "h".
--ssh-user-min-dur=duration
The minimum duration
for an ssh user certificate generated by this provisioner.
Value must be a sequence of decimal numbers, each with optional fraction, and a
unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
"us" (or "µs"), "ms", "s", "m", "h".
--ssh-user-max-dur=duration
The maximum duration
for an ssh user certificate generated by this provisioner.
Value must be a sequence of decimal numbers, each with optional fraction, and a
unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
"us" (or "µs"), "ms", "s", "m", "h".
--ssh-user-default-dur=duration
The maximum duration
for an ssh user certificate generated by this provisioner.
Value must be a sequence of decimal numbers, each with optional fraction, and a
unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
"us" (or "µs"), "ms", "s", "m", "h".
--ssh-host-min-dur=duration
The minimum duration
for an ssh host certificate generated by this provisioner.
Value must be a sequence of decimal numbers, each with optional fraction, and a
unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
"us" (or "µs"), "ms", "s", "m", "h".
--ssh-host-max-dur=duration
The maximum duration
for an ssh host certificate generated by this provisioner.
Value must be a sequence of decimal numbers, each with optional fraction, and a
unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
"us" (or "µs"), "ms", "s", "m", "h".
--ssh-host-default-dur=duration
The maximum duration
for an ssh host certificate generated by this provisioner.
Value must be a sequence of decimal numbers, each with optional fraction, and a
unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
"us" (or "µs"), "ms", "s", "m", "h".
--disable-renewal Disable renewal for all certificates generated by this provisioner.
--allow-renewal-after-expiry Allow renewals for expired certificates generated by this provisioner.
--disable-smallstep-extensions Disable the Smallstep extension for all certificates generated by this provisioner.
--ssh Enable provisioning of ssh certificates. The default value is true. To disable ssh use '--ssh=false'.
--admin-cert=chain
Admin certificate (chain
) in PEM format to store in the 'x5c' header of a JWT.
--admin-key=file
Private key file
, used to sign a JWT, corresponding to the admin certificate that will
be stored in the 'x5c' header.
--admin-subject=subject
, --admin-name=subject
The admin subject
to use for generating admin credentials.
--admin-provisioner=name
, --admin-issuer=name
The provisioner name
to use for generating admin credentials.
--admin-password-file=file
The path to the file
containing the password to decrypt the one-time token
generating key.
--password-file=file
The path to the file
containing the password to encrypt or decrypt the private key.
--ca-url=URI
URI
of the targeted Step Certificate Authority.
--root=file
The path to the PEM file
used as the root certificate authority.
--context=name
The context name
to apply for the given command.
--ca-config=file
The certificate authority configuration file
. Defaults to
$(step path)/config/ca.json
Examples
Create a JWK provisioner with newly generated keys and a template for x509 certificates:
step ca provisioner add cicd --type JWK --create --x509-template ./templates/example.tpl
Create a JWK provisioner and explicitly select the configuration file to update:
step ca provisioner add cicd --type JWK --create --ca-config /path/to/ca.json
Create a JWK provisioner with duration claims:
step ca provisioner add cicd --type JWK --create --x509-min-dur 20m --x509-default-dur 48h --ssh-user-min-dur 17m --ssh-host-default-dur 16h
Create a JWK provisioner with existing keys:
step ca provisioner add jane@doe.com --type JWK --public-key jwk.pub --private-key jwk.priv
Create an OIDC provisioner:
step ca provisioner add Google --type OIDC --ssh \
--client-id 1087160488420-8qt7bavg3qesdhs6it824mhnfgcfe8il.apps.googleusercontent.com \
--client-secret udTrOT3gzrO7W9fDPgZQLfYJ \
--configuration-endpoint https://accounts.google.com/.well-known/openid-configuration
Create an X5C provisioner:
step ca provisioner add x5c --type X5C --x5c-roots x5c_ca.crt
Create an ACME provisioner:
step ca provisioner add acme --type ACME
Create an ACME provisioner, forcing a CN and requiring EAB:
step ca provisioner add acme --type ACME --force-cn --require-eab
Create an ACME provisioner for device attestation:
step ca provisioner add attestation --type ACME --challenge device-attest-01
Create an K8SSA provisioner:
step ca provisioner add kube --type K8SSA --ssh --public-key key.pub
Create an SSHPOP provisioner for renewing SSH host certificates:")
step ca provisioner add sshpop --type SSHPOP
Create a SCEP provisioner with 'secret' challenge and AES-256-CBC encryption:
step ca provisioner add my_scep_provisioner --type SCEP --challenge secret --encryption-algorithm-identifier 2
Create an Azure provisioner with two resource groups, one subscription ID and one object ID:
$ step ca provisioner add Azure --type Azure \
--azure-tenant bc9043e2-b645-4c1c-a87a-78f8644bfe57 \
--azure-resource-group identity --azure-resource-group accounting \
--azure-subscription-id dc760a01-2886-4a84-9abc-f3508e0f87d9 \
--azure-object-id f50926c7-abbf-4c28-87dc-9adc7eaf3ba7
Create an GCP provisioner that will only accept the SANs provided in the identity token:
$ step ca provisioner add Google --type GCP \
--disable-custom-sans --gcp-project internal
Create an AWS provisioner that will only accept the SANs provided in the identity document and will allow multiple certificates from the same instance:
$ step ca provisioner add Amazon --type AWS \
--aws-account 123456789 --disable-custom-sans --disable-trust-on-first-use
Create an AWS provisioner that will use a custom certificate to validate the instance identity documents:
$ step ca provisioner add Amazon --type AWS \
--aws-account 123456789