step ca provisioner add

Name

step ca provisioner add -- add a provisioner

Usage

step ca provisioner add <name> --type=JWK [--public-key=<file>]
[--private-key=<file>] [--create] [--password-file=<file>]
[--admin-cert=<file>] [--admin-key=<file>]
[--admin-subject=<subject>] [--admin-provisioner=<name>] [--admin-password-file=<file>]
[--ca-url=<uri>] [--root=<file>] [--context=<name>] [--ca-config=<file>]

ACME

step ca provisioner add <name> --type=ACME
[--force-cn] [--require-eab] [--challenge=<challenge>]
[--attestation-format=<format>] [--attestation-roots=<file>]
[--admin-cert=<file>] [--admin-key=<file>]
[--admin-subject=<subject>] [--admin-provisioner=<name>] [--admin-password-file=<file>]
[--ca-url=<uri>] [--root=<file>] [--context=<name>] [--ca-config=<file>]

OIDC

step ca provisioner add <name> --type=OIDC
[--client-id=<id>] [--client-secret=<secret>]
[--configuration-endpoint=<url>] [--domain=<domain>]
[--admin=<email>]...
[--admin-cert=<file>] [--admin-key=<file>]
[--admin-subject=<subject>] [--admin-provisioner=<name>] [--admin-password-file=<file>]
[--ca-url=<uri>] [--root=<file>] [--context=<name>] [--ca-config=<file>]

X5C

step ca provisioner add <name> --type=X5C --x5c-roots=<file>
[--admin-cert=<file>] [--admin-key=<file>]
[--admin-subject=<subject>] [--admin-provisioner=<name>] [--admin-password-file=<file>]
[--ca-url=<uri>] [--root=<file>] [--context=<name>] [--ca-config=<file>]

SSHPOP

step ca provisioner add <name> --type=SSHPOP
[--admin-cert=<file>] [--admin-key=<file>]
[--admin-subject=<subject>] [--admin-provisioner=<name>] [--admin-password-file=<file>]
[--ca-url=<uri>] [--root=<file>] [--context=<name>] [--ca-config=<file>]

Nebula

step ca provisioner add <name> --type=Nebula --nebula-root=<file>
[--admin-cert=<file>] [--admin-key=<file>]
[--admin-subject=<subject>] [--admin-provisioner=<name>] [--admin-password-file=<file>]
[--ca-url=<uri>] [--root=<file>] [--context=<name>] [--ca-config=<file>]

K8SSA

step ca provisioner add <name> --type=K8SSA [--public-key=<file>]
[--admin-cert=<file>] [--admin-key=<file>]
[--admin-subject=<subject>] [--admin-provisioner=<name>] [--admin-password-file=<file>]
[--ca-url=<uri>] [--root=<file>] [--context=<name>] [--ca-config=<file>]

IID

step ca provisioner add <name> --type=[AWS|Azure|GCP]
[--aws-account=<id>] [--gcp-service-account=<name>] [--gcp-project=<name>]
[--azure-tenant=<id>] [--azure-resource-group=<name>]
[--azure-audience=<name>] [--azure-subscription-id=<id>]
[--azure-object-id=<id>] [--instance-age=<duration>] [--iid-roots=<file>]
[--disable-custom-sans] [--disable-trust-on-first-use]
[--admin-cert=<file>] [--admin-key=<file>]
[--admin-subject=<subject>] [--admin-provisioner=<name>] [--admin-password-file=<file>]
[--ca-url=<uri>] [--root=<file>] [--context=<name>] [--ca-config=<file>]

SCEP

step ca provisioner add <name> --type=SCEP [--force-cn] [--challenge=<challenge>]
[--capabilities=<capabilities>] [--include-root] [--exclude-intermediate]
[--min-public-key-length=<length>] [--encryption-algorithm-identifier=<id>]
[--scep-decrypter-certificate-file=<file>] [--scep-decrypter-key-file=<file>] 
[--scep-decrypter-key-uri=<uri>] [--scep-decrypter-key-password-file=<file>]
[--admin-cert=<file>] [--admin-key=<file>] [--admin-subject=<subject>] 
[--admin-provisioner=<name>] [--admin-password-file=<file>]
[--ca-url=<uri>] [--root=<file>] [--context=<name>] [--ca-config=<file>]

Description

step ca provisioner add adds a provisioner to the CA configuration.

Positional arguments

name The name of the provisioner.

Options

--type=type The type of provisioner to create.

type is a case-insensitive string and must be one of:

JWK Uses an JWK key pair to sign provisioning tokens. (default)

OIDC Uses an OpenID Connect provider to sign provisioning tokens.

AWS Uses Amazon AWS instance identity documents.

GCP Use Google instance identity tokens.

Azure Uses Microsoft Azure identity tokens.

ACME Uses the ACME protocol to create certificates.

X5C Uses an X509 certificate / private key pair to sign provisioning tokens.

K8SSA Uses Kubernetes Service Account tokens.

SSHPOP Uses an SSH certificate / private key pair to sign provisioning tokens.

SCEP Uses the SCEP protocol to create certificates.

Nebula Uses a Nebula certificate / private key pair to sign provisioning tokens.

--public-key=file The file containing the JWK public key. Or, a file containing one or more PEM formatted keys, if used with the K8SSA provisioner.

--create Create the JWK key pair for the provisioner.

--private-key=file The file containing the JWK private key.

--client-id=id The id used to validate the audience in an OpenID Connect token.

--client-secret=secret The secret used to obtain the OpenID Connect tokens.

--listen-address=address The callback address used in the OpenID Connect flow (e.g. ":10000")

--configuration-endpoint=url OpenID Connect configuration url.

--admin=email The email of an admin user in an OpenID Connect provisioner, this user will not have restrictions in the certificates to sign. Use the '--admin' flag multiple times to configure multiple administrators.

--domain=domain The domain used to validate the email claim in an OpenID Connect provisioner. Use the '--domain' flag multiple times to configure multiple domains.

--group=group The group list used to validate the groups extension in an OpenID Connect token. Use the '--group' flag multiple times to configure multiple groups.

--tenant-id=tenant-id The tenant-id used to replace the templatized tenantid value in the OpenID Configuration.

--x5c-roots=file, --x5c-root=file PEM-formatted root certificate(s) file used to validate the signature on X5C provisioning tokens.

--nebula-root=file Root certificate (chain) file used to validate the signature on Nebula provisioning tokens.

--require-eab Require (and enable) External Account Binding (EAB) for Account creation. If this flag is set to false, then disable EAB.

--force-cn Always set the common name in provisioned certificates.

--challenge=challenge With a SCEP provisioner the challenge is a shared secret between a client and the CA.

With an ACME provisioner, this flag specifies the challenge or challenges to enable. Use the flag multiple times to configure multiple challenges.

The supported ACME challenges are:

http-01 With the HTTP challenge, the client in an ACME transaction proves its control over a domain name by proving that it can provision HTTP resources on a server accessible under that domain name.

dns-01 With the DNS challenge, the client can prove control of a domain by provisioning a TXT resource record containing a designated value for a specific validation domain name.

tls-alpn-01 With the TLS with Application-Layer Protocol Negotiation (TLS ALPN) challenge, the client can prove control over a domain name by configuring a TLS server to respond to specific connection attempts using the ALPN extension with identifying information.

device-attest-01 With the device attestation challenge, the client can prove control over a permanent identifier of a device by providing an attestation statement containing the identifier of the device.

If the provisioner has no challenges configured, http-01, dns-01 and tls-alpn-01 will be automatically enabled.

--attestation-format=format Enable an ACME attestation statement format in the provisioner. Use the flag multiple times to configure multiple challenges.

The supported ACME attestation formats are:

apple With the apple format, Apple devices can use the device-attest-01 challenge to get a new certificate.

step With the step format, devices like YubiKeys that can generate an attestation certificate can use the device-attest-01 challenge to get a new certificate.

tpm With the tpm format, devices with TPMs can use the device-attest-01 challenge to get a new certificate.

--attestation-roots=file PEM-formatted root certificate(s) file used to validate the attestation certificates. Use the flag multiple times to read from multiple files.

--capabilities=capabilities The SCEP capabilities to advertise

--include-root Include the CA root certificate in the SCEP CA certificate chain

--exclude-intermediate Exclude the CA intermediate certificate in the SCEP CA certificate chain

--min-public-key-length=length The minimum public key length of the SCEP RSA encryption key

--encryption-algorithm-identifier=id The id for the SCEP encryption algorithm to use. Valid values are 0 - 4, inclusive. The values correspond to: 0: DES-CBC, 1: AES-128-CBC, 2: AES-256-CBC, 3: AES-128-GCM, 4: AES-256-GCM. Defaults to DES-CBC (0) for legacy clients.

--scep-decrypter-certificate-file=file The path to a PEM certificate file for the SCEP decrypter

--scep-decrypter-key-file=file The path to a PEM private key file for the SCEP decrypter

--scep-decrypter-key-uri=uri The key uri for the SCEP decrypter. Should be a valid value for the KMS type used.

--scep-decrypter-key-password-file=file The path to a file containing the password for the SCEP decrypter key

--aws-account=id The AWS account id used to validate the identity documents. Use the flag multiple times to configure multiple accounts.

--azure-tenant=id The Microsoft Azure tenant id used to validate the identity tokens.

--azure-resource-group=name The Microsoft Azure resource group name used to validate the identity tokens. Use the flag multiple times to configure multiple resource groups

--azure-audience=name The Microsoft Azure audience name used to validate the identity tokens.

--azure-subscription-id=id The Microsoft Azure subscription id used to validate the identity tokens. Use the flag multiple times to configure multiple subscription IDs

--azure-object-id=id The Microsoft Azure AD object id used to validate the identity tokens. Use the flag multiple times to configure multiple object IDs

--gcp-service-account=email The Google service account email or id used to validate the identity tokens. Use the flag multiple times to configure multiple service accounts.

--gcp-project=id The Google project id used to validate the identity tokens. Use the flag multiple times to configure multiple projects

--instance-age=duration The maximum duration to grant a certificate in AWS and GCP provisioners. A duration is sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

--disable-custom-sans On cloud provisioners, if enabled only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR.

--disable-trust-on-first-use, --disable-tofu On cloud provisioners, if enabled multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted.

--x509-template=file The x509 certificate template file, a JSON representation of the certificate to create.

--x509-template-data=file The x509 certificate template data file, a JSON map of data that can be used by the certificate template.

--ssh-template=file The x509 certificate template file, a JSON representation of the certificate to create.

--ssh-template-data=file The ssh certificate template data file, a JSON map of data that can be used by the certificate template.

--x509-min-dur=duration The minimum duration for an x509 certificate generated by this provisioner. Value must be a sequence of decimal numbers, each with optional fraction, and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

--x509-max-dur=duration The maximum duration for an x509 certificate generated by this provisioner. Value must be a sequence of decimal numbers, each with optional fraction, and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

--x509-default-dur=duration The default duration for an x509 certificate generated by this provisioner. Value must be a sequence of decimal numbers, each with optional fraction, and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

--ssh-user-min-dur=duration The minimum duration for an ssh user certificate generated by this provisioner. Value must be a sequence of decimal numbers, each with optional fraction, and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

--ssh-user-max-dur=duration The maximum duration for an ssh user certificate generated by this provisioner. Value must be a sequence of decimal numbers, each with optional fraction, and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

--ssh-user-default-dur=duration The maximum duration for an ssh user certificate generated by this provisioner. Value must be a sequence of decimal numbers, each with optional fraction, and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

--ssh-host-min-dur=duration The minimum duration for an ssh host certificate generated by this provisioner. Value must be a sequence of decimal numbers, each with optional fraction, and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

--ssh-host-max-dur=duration The maximum duration for an ssh host certificate generated by this provisioner. Value must be a sequence of decimal numbers, each with optional fraction, and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

--ssh-host-default-dur=duration The maximum duration for an ssh host certificate generated by this provisioner. Value must be a sequence of decimal numbers, each with optional fraction, and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

--disable-renewal Disable renewal for all certificates generated by this provisioner.

--allow-renewal-after-expiry Allow renewals for expired certificates generated by this provisioner.

--disable-smallstep-extensions Disable the Smallstep extension for all certificates generated by this provisioner.

--ssh Enable provisioning of ssh certificates. The default value is true. To disable ssh use '--ssh=false'.

--admin-cert=chain Admin certificate (chain) in PEM format to store in the 'x5c' header of a JWT.

--admin-key=file Private key file, used to sign a JWT, corresponding to the admin certificate that will be stored in the 'x5c' header.

--admin-subject=subject, --admin-name=subject The admin subject to use for generating admin credentials.

--admin-provisioner=name, --admin-issuer=name The provisioner name to use for generating admin credentials.

--admin-password-file=file The path to the file containing the password to decrypt the one-time token generating key.

--password-file=file The path to the file containing the password to encrypt or decrypt the private key.

--ca-url=URI URI of the targeted Step Certificate Authority.

--root=file The path to the PEM file used as the root certificate authority.

--context=name The context name to apply for the given command.

--ca-config=file The certificate authority configuration file. Defaults to $(step path)/config/ca.json

Examples

Create a JWK provisioner with newly generated keys and a template for x509 certificates:

step ca provisioner add cicd --type JWK --create --x509-template ./templates/example.tpl

Create a JWK provisioner and explicitly select the configuration file to update:

step ca provisioner add cicd --type JWK --create --ca-config /path/to/ca.json

Create a JWK provisioner with duration claims:

step ca provisioner add cicd --type JWK --create --x509-min-dur 20m --x509-default-dur 48h --ssh-user-min-dur 17m --ssh-host-default-dur 16h

Create a JWK provisioner with existing keys:

step ca provisioner add jane@doe.com --type JWK --public-key jwk.pub --private-key jwk.priv

Create an OIDC provisioner:

step ca provisioner add Google --type OIDC --ssh \ --client-id 1087160488420-8qt7bavg3qesdhs6it824mhnfgcfe8il.apps.googleusercontent.com \ --client-secret udTrOT3gzrO7W9fDPgZQLfYJ \ --configuration-endpoint https://accounts.google.com/.well-known/openid-configuration

Create an X5C provisioner:

step ca provisioner add x5c --type X5C --x5c-roots x5c_ca.crt

Create an ACME provisioner:

step ca provisioner add acme --type ACME

Create an ACME provisioner, forcing a CN and requiring EAB:

step ca provisioner add acme --type ACME --force-cn --require-eab

Create an ACME provisioner for device attestation:

step ca provisioner add attestation --type ACME --challenge device-attest-01

Create an K8SSA provisioner:

step ca provisioner add kube --type K8SSA --ssh --public-key key.pub

Create an SSHPOP provisioner for renewing SSH host certificates:")

step ca provisioner add sshpop --type SSHPOP

Create a SCEP provisioner with 'secret' challenge and AES-256-CBC encryption:

step ca provisioner add my_scep_provisioner --type SCEP --challenge secret --encryption-algorithm-identifier 2

Create an Azure provisioner with two resource groups, one subscription ID and one object ID:

$ step ca provisioner add Azure --type Azure \ --azure-tenant bc9043e2-b645-4c1c-a87a-78f8644bfe57 \ --azure-resource-group identity --azure-resource-group accounting \ --azure-subscription-id dc760a01-2886-4a84-9abc-f3508e0f87d9 \ --azure-object-id f50926c7-abbf-4c28-87dc-9adc7eaf3ba7

Create an GCP provisioner that will only accept the SANs provided in the identity token:

$ step ca provisioner add Google --type GCP \ --disable-custom-sans --gcp-project internal

Create an AWS provisioner that will only accept the SANs provided in the identity document and will allow multiple certificates from the same instance:

$ step ca provisioner add Amazon --type AWS \ --aws-account 123456789 --disable-custom-sans --disable-trust-on-first-use

Create an AWS provisioner that will use a custom certificate to validate the instance identity documents:

$ step ca provisioner add Amazon --type AWS \ --aws-account 123456789