step certificate sign
Name
step certificate sign -- sign a certificate signing request (CSR)
Usage
step certificate sign <csr-file> <crt-file> <key-file>
[--profile=<profile>] [--template=<file>]
[--set=<key=value>] [--set-file=<file>]
[--password-file=<file>] [--path-len=<maximum>]
[--not-before=<time|duration>] [--not-after=<time|duration>]
[--bundle]
Description
step certificate sign generates a signed certificate from a certificate signing request (CSR).
Positional arguments
csr-file
The path to a certificate signing request (CSR) to be signed.
crt-file
The path to an issuing certificate.
key-file
The path to a private key for signing the CSR.
Options
--kms=uri
The uri
to configure a Cloud KMS or an HSM.
--profile=profile
The certificate profile sets various certificate details such as
certificate use and expiration. The default profile is 'leaf' which is suitable
for a client or server using TLS.
profile
is a case-sensitive string and must be one of:
-
leaf: Signs a leaf x.509 certificate suitable for use with TLS.
-
intermediate-ca: Signs a certificate that can be used to sign additional leaf certificates.
-
csr: Signs a x.509 certificate without modifying the CSR.
--template=file
The certificate template file
, a JSON representation of the certificate to create.
--set=key=value
The key=value
pair with template data variables. Use the --set flag multiple times to add multiple variables.
--set-file=file
The JSON file
with the template data variables.
--password-file=file
The path to the file
containing the password to encrypt or decrypt the private key.
--not-before=time|duration
The time|duration
set in the NotBefore property of the certificate. If a
time
is used it is expected to be in RFC 3339 format. If a duration
is
used, it is a sequence of decimal numbers, each with optional fraction and a
unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
"us" (or "µs"), "ms", "s", "m", "h".
--not-after=time|duration
The time|duration
set in the NotAfter property of the certificate. If a
time
is used it is expected to be in RFC 3339 format. If a duration
is
used, it is a sequence of decimal numbers, each with optional fraction and a
unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
"us" (or "µs"), "ms", "s", "m", "h".
--path-len=maximum
The maximum
path length to set in the pathLenConstraint of an intermediate-ca.
Defaults to 0. If it's set to -1 no path length limit is imposed.
--bundle Bundle the new leaf certificate with the signing certificate.
Exit codes
This command returns 0 on success and >0 if any error occurs.
Examples
Sign a certificate signing request using the leaf profile:
$ step certificate sign leaf.csr issuer.crt issuer.key
# or
$ step certificate sign --profile leaf leaf.csr issuer.crt issuer.key
Sign a CSR and bundle the new certificate with the issuer:
$ step certificate sign --bundle leaf.csr issuer.crt issuer.key
Sign a CSR with custom validity and bundle the new certificate with the issuer:
$ step certificate sign --bundle --not-before -1m --not-after 16h leaf.csr issuer.crt issuer.key
Sign an intermediate ca:
$ step certificate sign --profile intermediate-ca intermediate.csr issuer.crt issuer.key
Sign an intermediate ca that can sign other intermediates; in this example, the issuer must set the pathLenConstraint at least to 2 or without a limit:
$ step certificate sign --profile intermediate-ca --path-len 1 intermediate.csr issuer.crt issuer.key
Sign a CSR but only use information present in it, it doesn't add any key or extended key usages if they are not in the CSR.
$ step certificate sign --profile csr test.csr issuer.crt issuer.key
Sign a CSR with only clientAuth as key usage using a template:
$ cat coyote.tpl
{
"subject": {
"country": "US",
"organization": "Coyote Corporation",
"commonName": "{{ .Subject.CommonName }}"
},
"emailAddresses": {{ toJson .Insecure.CR.EmailAddresses }},
"keyUsage": ["digitalSignature"],
"extKeyUsage": ["clientAuth"]
}
$ step certificate create --csr coyote@acme.corp coyote.csr coyote.key
$ step certificate sign --template coyote.tpl coyote.csr issuer.crt issuer.key
Sign a CSR using a template and allow configuring the subject using the --set and --set-file flags.
$ cat rocket.tpl
{
"subject": {
"country": {{ toJson .Insecure.User.country }},
"organization": {{ toJson .Insecure.User.organization }},
"organizationalUnit": {{ toJson .Insecure.User.organizationUnit }},
"commonName": {{toJson .Subject.CommonName }}
},
"sans": {{ toJson .SANs }},
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
"keyUsage": ["keyEncipherment", "digitalSignature"],
{{- else }}
"keyUsage": ["digitalSignature"],
{{- end }}
"extKeyUsage": ["serverAuth", "clientAuth"]
}
$ cat organization.json
{
"country": "US",
"organization": "Acme Corporation",
"organizationUnit": "HQ"
}
$ step certificate create --csr rocket.acme.corp rocket.csr rocket.key
$ step certificate sign --template rocket.tpl \
--set-file organization.json --set organizationUnit=Engineering \
rocket.csr issuer.crt issuer.key
Sign a CSR using step-kms-plugin
:
$ step certificate sign \
--kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password' \
leaf.csr issuer.crt 'pkcs11:id=4001'