Skip to content
🧰 A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.
Go Other
  1. Go 99.3%
  2. Other 0.7%
Branch: master
Clone or download
dopey Change shell to default(sh) and remove vtest
* Remove vtest because it's not used and because
  the output was using a bash shell feature.
Latest commit 71ee01b Sep 17, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github Add enhancement issue template Aug 12, 2019
autocomplete Added version operability for `git archive` | updated zsh-completion Feb 21, 2019
cmd/step Refactor common code between ssh and ca to cautils and flags. Aug 14, 2019
command Add ACME CA capabilities Sep 13, 2019
config Do not panic if it cannot create the steppath. Jun 18, 2019
crypto Merge branch 'master' into pki-onboarding Sep 12, 2019
debian replace MIT license with Apache-2.0 license Jan 15, 2019
docker forgot to add docker dir Nov 15, 2018
docs readme: update the structure, remove the cruff, add some CTAs Feb 27, 2019
errs Add ACME CA capabilities Sep 13, 2019
exec Support console mode in `step ca [sign|certificate]` Aug 27, 2019
flags Merge branch 'master' into ssh-ca Sep 5, 2019
integration Fix integration tests. Dec 1, 2018
jose switch to golangci-lint and fix lots of linting errors Aug 27, 2019
make Change shell to default(sh) and remove vtest Sep 17, 2019
pkg Upgrade Mar 20, 2019
token Add initial support for `step ca ssh-certificate` command. Jul 25, 2019
ui Fix homebrew tests that fails trying to allocate a terminal. Feb 12, 2019
usage Don't add to docs Sep 10, 2019
utils Add ACME CA capabilities Sep 13, 2019
.VERSION Added version operability for `git archive` | updated zsh-completion Feb 21, 2019
.gitattributes Use git export-subst for versioning when not in git repo. Feb 19, 2019
.gitignore Remove all linter requirements from Gopkg.toml Aug 27, 2019
.golangci.yml Support console mode in `step ca [sign|certificate]` Aug 27, 2019
.travis.yml bump travis go version to 1.13 Sep 12, 2019 Added version operability for `git archive` | updated zsh-completion Feb 21, 2019 update changelog Sep 29, 2018
Gopkg.lock dep update certificates Sep 13, 2019
Gopkg.toml Revert "Use onboarding branch." Sep 12, 2019
LICENSE it's 2019 Jan 14, 2019
Makefile Add version to git archive artifact name Apr 5, 2019 Fixed link in Aug 31, 2019 Update website release docs Sep 10, 2019

Step CLI

step is a zero trust swiss army knife that integrates with step-ca for automated certificate management. It's an easy-to-use and hard-to-misuse utility for building, operating, and automating systems that use zero trust technologies like authenticated encryption (X.509, TLS), single sign-on (OAuth OIDC, SAML), multi-factor authentication (OATH OTP, FIDO U2F), encryption mechanisms (JSON Web Encryption, NaCl), and verifiable claims (JWT, SAML assertions).

Website | Documentation | Installation Guide | Examples | Contribution Guide

GitHub release Join the chat at CA Image Go Report Card Build Status License CLA assistant

GitHub stars Twitter followers

Animated terminal showing step in practice


step is a powerful security tool that's been carefully designed to be safe and easy to use, even if you don't have a favorite elliptic curve or if you're inclined to forget to check the aud when you verify a JWT.

  • Safe and sane defaults everywhere encourage best practices by making the right thing easy
  • Insecure or subtle operations are gated with flags to prevent accidental misuse
  • In-depth help with examples is available via step help

Work with JWTs (RFC7519) and other JOSE constructs

Work with X.509 (TLS/HTTPS) certificates

  • Create key pairs (RSA, ECDSA, EdDSA) and certificate signing requests (CSRs)
  • Create RFC5280 and CA/Browser Forum compliant X.509 certificates that work for TLS and HTTPS
  • Create root and intermediate signing certificates (CA certificates)
  • Create self-signed & CA-signed certificates, and sign CSRs
  • Inspect and lint certificates on disk or in use by a remote server
  • Install root certificates so your CA is trusted by default (issue development certificates that work in browsers)
  • Get certificates from any ACME compliant CA (coming soon)

Connect to step-ca and get certificates from your own private certificate authority

Command line OAuth and MFA

  • Get OAuth access tokens and OIDC identity tokens at the command line from any provider
  • Supports OAuth authorization code, implicit, OOB, jwt-bearer, and refresh token flows
  • Automatically launch browser to complete OAuth flow (or use console flow)
  • Verify OIDC identity tokens (using step crypt jwt verify)
  • Generate and verify TOTP tokens

NaCl and other crypto utilities

Installation Guide

These instructions will install an OS specific version of the step binary on your local machine. To build from source see getting started with development below.

Mac OS

Install step via Homebrew:

$ brew install step

Note: If you have installed step previously through the smallstep/smallstep tap you will need to run the following commands before installing:

$ brew untap smallstep/smallstep
$ brew uninstall step



Download and install the latest Debian package from releases:

$ wget

# Install the Debian package:
$ sudo dpkg -i step_X.Y.Z_amd64.deb

Arch Linux

We are using the Arch User Repository to distribute step binaries for Arch Linux.

  • The step-cli binary tarball can be found here.
  • The step-ca binary tarball (for step certificates - a sibling repository) can be found here.

You can use pacman to install the packages.


$ step certificate inspect
        Version: 3 (0x2)
        Serial Number: 326381749415081530968054238478851085504954 (0x3bf265673332db2d0c70e48a163fb7d11ba)
    Signature Algorithm: SHA256-RSA
        Issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
            Not Before: Feb 8 13:07:44 2019 UTC
            Not After : May 9 13:07:44 2019 UTC


X.509 Certificates from step-ca

This example assumes you already have step-ca running at https://ca.local.

Get your root certificate fingerprint from the machine running step-ca:

ca$ step certificate fingerprint $(step path)/certs/root_ca.crt

Bootstrap a new machine to trust and connect to step-ca:

$ step ca bootstrap --ca-url https://ca.local \
                    --fingerprint 0eea955785796f0a103637df88f29d8dfc8c1f4260f35c8e744be155f06fd82d

Create a key pair, generate a CSR, and get a certificate from step-ca:

$ step ca certificate foo.local foo.crt foo.key
Use the arrow keys to navigate: ↓ ↑ β†’ ←
What provisioner key do you want to use?
  β–Έ (JWK) [kid: XXX]
    Google (OIDC) [client:]
    Auth0 (OIDC) [client: XXX]
    AWS IID Provisioner (AWS)
βœ” CA: https://ca.local
βœ” Certificate: foo.crt
βœ” Private Key: foo.key

Use step certificate inspect to check our work:

$ step certificate inspect --short foo.crt
X.509v3 TLS Certificate (ECDSA P-256) [Serial: 2982...2760]
  Subject:     foo.local
  Issuer:      Intermediate CA
  Provisioner: [ID: EVct...2B-I]
  Valid from:  2019-08-31T00:14:50Z
          to:  2019-09-01T00:14:50Z

Renew certificate:

$ step ca renew foo.crt foo.key --force
Your certificate has been saved in foo.crt.

Revoke certificate:

$ step ca revoke --cert foo.crt --key foo.key
βœ” CA: https://ca.local
Certificate with Serial Number 202784089649824696691681223134769107758 has been revoked.

$ step ca renew foo.crt foo.key --force
error renewing certificate: Unauthorized

You can install your root certificate locally:

$ step certificate install $(step path)/certs/root_ca.crt

And issued certificates will work in your browser and with tools like curl. See our blog post for more info.

Browser demo of HTTPS working without warnings

Alternatively, for internal service-to-service communication, you can configure your code and infrastructure to trust your root certificate.

X.509 Certificates

The step certificate command group can also be used to create an offline CA and self-signed certificates.

Create a self-signed certificate:

$ step certificate create foo.local foo.crt foo.key --profile self-signed --subtle
Your certificate has been saved in foo.crt.
Your private key has been saved in foo.key.

Create a root CA, an intermediate, and a leaf X.509 certificate. Bundle the leaf with the intermediate for use with TLS:

$ step certificate create --profile root-ca \
     "Example Root CA" root-ca.crt root-ca.key
Please enter the password to encrypt the private key:
Your certificate has been saved in root-ca.crt.
Your private key has been saved in root-ca.key.

$ step certificate create \
     "Example Intermediate CA 1" intermediate-ca.crt intermediate-ca.key \
     --profile intermediate-ca --ca ./root-ca.crt --ca-key ./root-ca.key
Please enter the password to decrypt ./root-ca.key:
Please enter the password to encrypt the private key:
Your certificate has been saved in intermediate-ca.crt.
Your private key has been saved in intermediate-ca.key.

$ step certificate create \ \
     --profile leaf --ca ./intermediate-ca.crt --ca-key ./intermediate-ca.key
Please enter the password to decrypt ./intermediate-ca.key:
Please enter the password to encrypt the private key:
Your certificate has been saved in
Your private key has been saved in

$ step certificate bundle \ intermediate-ca.crt
Your certificate has been saved in

Extract the expiration date from a certificate (requires jq):

$ step certificate inspect --format json | jq -r .validity.end

$ step certificate inspect --format json | jq -r .validity.end

JSON Object Signing & Encryption (JOSE)

Create a JSON Web Key (JWK), add the public key to a keyset, and sign a JSON Web Token (JWT):

$ step crypto jwk create pub.json key.json
Please enter the password to encrypt the private JWK:
Your public key has been saved in pub.json.
Your private key has been saved in key.json.

$ cat pub.json | step crypto jwk keyset add keys.json

$ JWT=$(step crypto jwt sign \
    --key key.json \
    --iss "" \
    --aud "" \
    --sub "" \
    --exp $(date -v+15M +"%s"))
Please enter the password to decrypt key.json:

# Verify your JWT and return the payload:
$ echo $JWT | step crypto jwt verify \
    --jwks keys.json --iss "" --aud ""
  "header": {
    "alg": "ES256",
    "kid": "X6yaHYNyxr-psAqvSNKCWc9oYDetvGdo2n2PSRZjxss",
    "typ": "JWT"
  "payload": {
    "aud": "",
    "exp": 1551290879,
    "iat": 1551289983,
    "iss": "",
    "nbf": 1551289983,
    "sub": ""
  "signature": "JU7fPGqBJcIfauJHA7KP9Wp292g_G9s4bLMVLyRgEQDpL5faaG-3teJ81_igPz1zP7IjHmz8D6Gigt7kbnlasw"

Single Sign-On

Login with Google, get an access token, and use it to make a request to Google's APIs:

$ curl -H"$(step oauth --header)"
Your default web browser has been opened to visit:

  "picture": "",
  "email": "",
  "email_verified": true,
  "hd": ""

Login with Google and obtain an OAuth OIDC identity token for single sign-on:

$ step oauth \
    --provider \
    --client-id \
    --client-secret udTrOT3gzrO7W9fDPgZQLfYJ \
    --bare --oidc
Your default web browser has been opened to visit:[...]


Obtain and verify a Google-issued OAuth OIDC identity token:

$ step oauth \
     --provider \
     --client-id \
     --client-secret udTrOT3gzrO7W9fDPgZQLfYJ \
     --bare --oidc \
     | step crypto jwt verify \
       --jwks \
       --iss \
Your default web browser has been opened to visit:[...]

  "header": {
    "alg": "RS256",
    "kid": "f24d6a1930669cb75f19",
    "typ": "JWT"
  "payload": {
    "iss": "",
    "azp": "",
    "aud": "",
    "sub": "103209689286000948507",
    "hd": "",
    "email": "",
    "email_verified": true,
    "at_hash": "euBvS34BVu0SJQ-EsbBT3A",
    "iat": 1551293134,
    "exp": 1551296734
  "signature": "[...]"

Multi-factor Authentication

Generate a TOTP token and a QR code:

$ step crypto otp generate \
    --issuer --account \
    --qr smallstep.png > smallstep.totp

Scan the QR Code (smallstep.png) using Google Authenticator, Authy or similar software and use it to verify the TOTP token:

$ step crypto otp verify --secret smallstep.totp


Documentation can be found in three places:

  1. On the command line with step help xxx where xxx is the subcommand you are interested in. Ex: step help crypto jwk

  2. On the web at

  3. On your browser by running step help --http :8080 and visiting http://localhost:8080

The Future

We plan to build more tools that facilitate the use and management of zero trust networks.

  • Tell us what you like and don't like about managing identity in your network - we're eager to help solve problems in this space.
  • Tell us what features you'd like to see - open issues or hit us on Twitter.

Further Reading

  • Check out our blog.
  • Eliminate the pain of managing a PKI with step certificates - an online certificate authority and related tools for secure automated certificate management, so you can use TLS everywhere.
You can’t perform that action at this time.