👣 step CLI

There’s an official step CLI documentation, but here are the most common CLI commands.

Bootstrap

To use the step CLI, you’ve to bootstrap the CA first:

step ca bootstrap \
    --ca-url {url} \
    --fingerprint {fingerprint}

Tip

To get the fingerprint, use the following command

step certificate fingerprint certs/root_ca.crt

If you’re on the host, you can use docker exec:

docker exec ca step certificate fingerprint certs/root_ca.crt

CA certificate

To get the CA certificate, use the following step command:

step ca roots --ca-url https://{FQDN}

Single subject certificate

To get a new certificate with a single subject:

step ca certificate {Subject} cert.crt cert.key

Hint

If multiple provisioners are available, you can select one interactively. To explicitly define a provisioner, use the --provisioner={provisioner} CLI argument.

Multiple SAN certificate

To get a new certificate with multiple SANs:

step ca certificate {Subject} cert.crt cert.key \
  --san {Subject} \
  --san {SAN…} \
  --san {SAN…}

Important

The subject needs to be included in the SANs as well.

Convert PKCS #12

To convert a certificate with its private key to a PKCS #12:

# Via step CLI (not compatible with macOS keychain).
step certificate p12 cert.p12 cert.crt cert.key

# Via OpenSSL (compatible with macOS keychain).
openssl pkcs12 -export -legacy -out cert.p12 -inkey cert.key -in cert.crt

See also

Please read the PKCS #12 incompatibility chapter if you want to know more about the PKCS #12 issues (on macOS).